| Description:
|
Details
Win95.Babylonia.11036
This is a memory resident parasitic Windows virus with worm and backdoor abilities. The virus infects Win9x machines only and infects several types of files on them: PE EXE files (Windows executable files), Windows HLP files, infects the Windows socket library to send its copies to the Internet, drops additional components and is able to download "virus plugins" from the Internet and install them in the system.
The virus uses VxD calls that are allowed on Win9x computers only, so the virus is not able to infect WinNT stations and servers. The virus uses several features that were already found in other computer viruses: global network spreading in the I-Worm.Happy virus; Windows Help file infection - WinHLP.Demo; memory installation - Win95.CIH, etc.
Installation
When an infected EXE file is executed, the virus installs itself resident into Windows memory, drops and runs an additional file (Trojan component) and returns control to the host program.
To install itself memory resident, the virus scans the Windows kernel, obtains the necessary Windows-functions addresses and installs itself "memory resident" as a system driver (VxD). It allocates a block of Windows VxD memory, copies itself to there and hooks IFS API (disk file access functions). To switch its code from application level to system drivers (from Ring3 to Ring0), the virus uses a standard trick with system-interrupt description tables.
The virus then creates an additional 4K-in-size PE EXE file in the root of the C: drive - C:BABYLONIA.EXE. This is a virus component that is then run as a stand-alone application, and releases additional virus features. The virus stores the image of this file in compressed form, so it occupies less than 2K in the virus body. The virus uses a "aPLib" compression method for these data as well as in other cases (in its plugins).
While installing memory resident, the virus scans system drivers for AVP9* and SPID* drivers (anti-virus monitors), and patches them so that they are not able to open files for virus scanning. It seems that this routine has a bug that causes system error when the virus patches AVP Monitor, and the virus is not able to install itself to the system as a result.
Infecting EXE files
The virus' IFS API hooker intercepts three types of file-access functions: reading/modifying file attributes, file opening and renaming. In all these cases, the virus passes control to the infection routine.
When an PE EXE file is accessed, the virus checks its internal format and infects to the file end - the virus writes itself to the end of last file section by increasing its size. In some cases when the file has a large enough Fixup section, the virus disables this section and writes itself into it. In this case, the file size is not increased.
To gain control when infected files are executed, the virus does not touch the program's start address, but patches the file entry routine. The virus uses "Entry Point Obscuring" technology: it scans file-entry code, and overwrites at some position with the CALL_Virus instruction.
Infecting Windows help files (.HLP)
While infecting a Windows HLP file, the virus creates a script routine in there, which is activated each time this help file is accessed by the Windows help system: the virus modifies the internal HLP file structure, adds its script to the "SYSTEM" area, converts its code to a polymorphic start-up routine and includes it into the script.
By using a trick, the virus script forces the Help system to execute specially prepared data as a binary Windows32 program, and these data are included in one of the instructions in the virus script. These data themselves are the "start-up" polymorphic routine that builds the main virus code and executes it as a Windows32 application. The virus installation routine takes control, and installs the virus into the system as described above.
Infecting WSOCK32.DLL
While infecting the WSOCK32.DLL library, the virus gets "send" function and patches it with a short routine that activates the memory resident virus copy to send the virus to the Internet. When an infected WSOCK32.DLL is loaded, the virus filters data that are being sent, and when messages are sent out, the virus appends to them an infected attachment. If a message already has an attachment, the virus appends its attachment anyway, and the message, as result, has two or more attached files.
The virus' attached file is a Win32 PE executable with the X-MAS.EXE name. A virus routine performs a selection from six possible name variants depending on the current month, but fails, and as a result, the file name is always X-MAS.EXE. The copmlete list of names appears as follows:
I-WATCH-U BABILONIA X-MAS SURPRISE! JESUS BUHH CHOCOLATE
This file itself is about 17Kb in length (6Kb of host file and 11Kb of virus code, the virus does not infect files with length less than 8Kb, but it makes an exception exactly for this file that goes to the attachment). When this file is run, the virus installs into the system and returns control to the host program. This program then opens all files in the current directory, Windows, and Window system directory. The virus resident copy is already installed, and as a result, PE EXE files in these directories are infected.
The host file then displays two fake messages:
Loader Error
API not found!
Loader Error
Windows xx required!
This program will be terminated.
where 'xx' is '95' or 'NT' - under Win9x 'NT' is displayed, under WinNT - '95'.
Additional components and plugins
When the virus is installing into the system, it creates the C:BABYLONIA.EXE file and writes a Trojan program (or better to name it a virus backdoor) to there. This is stand-alone program that is not linked with the virus by code or calls. The virus never infects it - this file is about 4Kb of size, and the virus does not infect files less than 8Kb in length. This additional Trojan program is more functional than the "parent" virus.
When the BABYLONIA.EXE file is executed, it regiters itself as a "service process" (i.e., not visible in the task list). It then copies itself to the Windows system directory with the KERNEL32.EXE name (name-game with a standard KERNEL32.DLL Windows library), and registers this file in the auto-run section in the system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
The Trojan then connects to hackers' Web site based in Japan and gets the "vecna/virus.txt" from there. This file contains a list of additional files. The Trojan then downloads these files one-by-one and processes them. In case there is no connection to the Internet, or this site or these files are not accessible, the worm stays in the Windows memory, and each minute tries to connect fo the site and get these files. When files are downloaded and processed, the Trojan exits.
The files on the hackers' Web site have a special format - header ID stamp "VMOD", then version stamp, and address of the "main" routine in the file. These "main" routines in files are Win32 programs, the virus locates them and calls to there. As a result, these data files from the hackers Web site are downloaded and executed as "virus plugins", and by using these plugins, the virus author is able to operate with infected computers as he wishes - upgrade the virus, installs trojans and backdoors, corrupt data, etc.
At the moment, there were four "plugins" located. The first one with the DROPPER.DAT name creates the C:INSTALAR.EXE file, writes a program to there, executes it and deletes the file. This EXE file is the same as is sent in attached files. So, if the system is disinfected from virus copies, but the Trojan component is installed on the computer, it will download and reinstall the virus on the system.
The second file (GREETZ.DAT) checks the date and time and in January starting from the 15th, from 5:00 till 20:00 local time, writes to the C:AUTOEXEC.BAT file the set of commands that display the following message:
W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
---
Eu boto fogo na Babilonia!
The third plugin (IRCWORM.DAT) installs to the system an mIRC worm that spreads via mIRC channels as "2kBug-MircFix.EXE" and "2kbugfix.ini" files. (this was not tested in the lab, but it seems the virus has a bug here and the mIRC worm cannot spread).
The fourth plugin (POLL.DAT) informs the virus' author about an infected computer: it sends a message to "babylonia_counter@hotmail.com", the message text appears as follows:
Quando o mestre chegara?
These messages are not intercepted by the virus' resident copy, and they are not infected by an infected attachment. To prevent duplicate sendings, the virus creates the "05_12_99" file in the Windows system directory, and if this file already exists, the plugin exits with no e-mail messages sent. |
