Home Schools Links Virus List Add a School Change a Link Dead Link
Link to us Financial Aid Free E-mail Guestbook Cool Links Tell A Friend
NextCard Visa If your School has a Schools Alumni Page let us know Solve your computer needs at eBay


PE_Babylonia
aka
serialz.hlp, X-MAS.EXE

 
Tell A Friend
about this
Page
Tell me when
this page
is updated
Link to us
Our Sponsor

A memory resident virus with worm and backdoor capabilities and only infects Win9x machines.
This virus mainly propagates by mIRC as well as by email (similar to TROJ_SKA) and was originally posted to an Internet newsgroup a Windows Help file named serialz.hlp that is disguised as a Y2K bug fix. When the Windows Help file is launched, this virus enters the computer system. The virus writers had the ability to update and change its payload and trigger remotely until the server containing the plug-ins was shut down. This virus is in the wild and is spreading quickly.
Also reports that this virus can also propagate via email as an attachment X-MAS.EXE.

The virus uses VxD calls that are allowed on Win9x computers only, so the virus is not able to infect WinNT stations and servers. This virus uses several features that are already found in other computer viruses: network spreading in the "I-Worm.Happy" virus; Windows Help file infection - "WinHLP.Demo"; memory installation - "Win95.CIH" and others.

When an infected user logs onto mIRC, the virus is automatically sent to everyone within the same mIRC chat room as the infected user. The virus is sent out disguised as a Y2K bug fix and once this file is file executed, the virus infects other 32-bit EXE program files as well as Windows Help files. The virus also tries to modify the system to display the following message
when booting the infected computer:

W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
--- Eu boto fogo na Babilonia!

This virus also sends an email to
babylonia_counter@hotmail.com to track infected computers.

PE_Babylonia has the ability to download the viral components of the virus via the Internet. When the virus is executed, the virus looks for an Internet connection, if one is present, it downloads several files from a web server in Japan. Due to this capability, the virus writer can update this virus and its payload from a central location.

Babylonia.exe appears in root directory
kernel32.exe appears in c:\windows\system - exact same file as c:\babylonia.exe
kernel32.exe appears in ...\run registry settings.
kernel32.exe running as many threads on machine.
Programs that are running appear to grow in size (.exe files) and have updated timestamps since initial infection
A search on hard disk reveals a growing list of files of all types appearing with the word "babylonia."

After infection, the virus looks for an Internet connection. If it find one, it begins polling a hacker's Internet website in Japan every 60 seconds looking for new "plug-ins." These plug-ins can be altered at will by the virus writer remotely making them dangerous. The virus writers may get password, credit card and other secured information from computers or send out
destructive payloads. Currently, there are four "plug-ins"' that the virus downloads.

This is the first time a virus has the capability of altering its instructions from the virus author remotely and on demand.

 


 

[an error occurred while processing this directive]

Gator fills out forms and remembers passwords!


Howdy!!!
Welcome to the McCann's PooR Farm
I'm not with any school or schools,
Just a disable grandpa with 17 grand kids, 1 Great grand Kid
 
Sorry! about all of the adds, Our Cost just keeping going up.
Please click on one of them and help us out. or
Send $1.00 U.S. to:
McCann's Poor Farm
20509 Lawrence 2207
Aurora, Mo. 65605-7275
Thank You,
Junior McCann
Webmaster
and the GrandKids
 
See what the experts have to say about the McCann's Poor Farm Web Page
 
Legal Disclaimer - We Are in no way connected with any School and or Companies linked to this page. Links are provided as a courtesy only.

Where Visitors Come From:

Argentina, Australia, Austria, Belarus, Belgium, Bermuda, Brazil, Brunei Darussalam, Bulgaria, Canada, Chile, Columbia, Costa Rica, Croatia, Croatia/Hrvatska, Czech Republic, Denmark, Dominican Republic, Ecuador, Egypt, Estonia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jordan, Korea, Korea, Republic of, Latvia, Lebanon, Lithuania, Luxembourg, Macedonia, Malaysia, Mexico, Moldova, Netherlands, New Calendonia, New Zealand, Norway, Old style Arpanet, Papua New Guinea, Peru, Philippines, Poland, Portugal, Romania, Russian Federation, Saudi Arabia, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uruguay, USA Government, USA Military, Viet Nam
Tell A Friend
about this Page
Tell me when this page
is updated

Click Here!


Home Schools Links Virus List Add a School Change a Link Dead Link
Scholarships Financial Aid Free E-mail Guestbook Cool Links Tell A Friend
Put a Link on your Web Page

- Legal Disclaimer -
This Website Is For Your Entertainment Purposes Only!
We Are in no way connected with
any School and or Companies linked to this page.
Links are provided as a courtesy only.
 
http://www.poor-farm.com/
webmaster@poor-farm.com
McCann's PooR Farm
Aurora, Mo. 65605
© 2001