Babylonia: dangerous blend of computer virus, Internet-worm and "Trojan horse"

06 Dec 1999
Virus News

Please, update your AVP anti-virus database

Kaspersky Lab Int., announces the discovery of Win95.Babylonia virus, which features capabilities of Internet-worm and "Trojan horse" program. The virus has been reported "in-the-wild" in United States, Europe and Australia. Because of some new improved backdoor features the virus should be considered as very dangerous. We recommend AVP users to update their anti-virus databases with an emergency update.

Technical Characteristics

This is a memory resident parasitic Windows virus with worm and backdoor abilities. The virus infects Win9x machines only and affects several types of files on them: PE EXE files (Windows executable files), Windows HLP files, affects Windows socket library to send its copies to Internet, drops additional components and is able to download "virus plugins" from the Internet and install them in the system.

The virus uses VxD calls that are allowed on Win9x computers only, so the virus is not able to infect WinNT stations and servers. The virus uses several features that were already found in other computer viruses: network spreading in the "I-Worm.Happy" virus; Windows Help file infection - "WinHLP.Demo"; memory installation - "Win95.CIH", etc.

Infection Indication

There are several ways of understanding whether your computer is infected with Win95.Babylonia virus.

  • Check out if there is a file KERNEL32.EXE is Windows system directory (usually /Windows/System)
  • Check out if there is a file BABYLONIA.EXE in root directory of disk C:
  • Check out Windows registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run if there is a file KERNEL32.EXE
Infection Prevention and Removal

To prevent infection with Win95.Babylonia virus you should not open the following files that could arrive to your computer:

X-MAS.EXE
2KBUG-MIRCFIX.EXE
2KBUGFIX.INI

We recommed you to delete these files immediately as they arrive to your system.

In case you have been infected with this virus you can remove it with AntiViral Toolkit Pro (AVP) with the emergency update of anti-virus databases installed.

More Technical Details