Babylonia

 Virus Information - Babylonia:

This is the first virus that is capable of infecting Windows Help (HLP) files. This virus has capabilities of both virus and trojan. Babylonia virus infects 32 Bit(PE) executable (EXE) and Windows help (HLP) files under Windows 95 and Windows 98. It does not work under Windows NT. Once the infected file is executed it stays in memory. The virus infects the target files when they are accessed. The size of the file will be increased during the infection. This virus infects Windows help files by inserting its code in the system area of the help files.

This virus patches WSOCK32.DLL file similar to Happy99 trojan. Because of this Babylonia will be able to intercept email message sent out and the virus will attach an infected file to the messages sent. The attachment will be named as X-MAS.EXE

When the virus is run for the first time it copies a file called BABYLONIA.EXE to the root directory of C drive and executes it. This file will then be copied to the \windows\system directory as KERNEL32.EXE. The Windows registry will be modified to run this file as a service every time the computer is re-started. The registry key that is modified is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The virus also has a unique capability of downloading further components of itself from a web site in Japan. The web site can be configured to deliver additional features to the virus.