Details
Win95.Babylonia.11036

This is a memory resident parasitic Windows virus with worm and backdoor abilities. The virus infects Win9x machines only and infects several types of files on them: PE EXE files (Windows executable files), Windows HLP files, infects the Windows socket library to send its copies to the Internet, drops additional components and is able to download “virus plugins” from the Internet and install them in the system.
The virus uses VxD calls that are allowed on Win9x computers only, so the virus is not able to infect WinNT stations and servers. The virus uses several features that were already found in other computer viruses: global network spreading in the I-Worm.Happy virus; Windows Help file infection - WinHLP.Demo; memory installation - Win95.CIH, etc.
Installation
When an infected EXE file is executed, the virus installs itself resident into Windows memory, drops and runs an additional file (Trojan component) and returns control to the host program.
To install itself memory resident, the virus scans the Windows kernel, obtains the necessary Windows-functions addresses and installs itself “memory resident” as a system driver (VxD). It allocates a block of Windows VxD memory, copies itself to there and hooks IFS API (disk file access functions). To switch its code from application level to system drivers (from Ring3 to Ring0), the virus uses a standard trick with system-interrupt description tables.
The virus then creates an additional 4K-in-size PE EXE file in the root of the C: drive - C:\BABYLONIA.EXE. This is a virus component that is then run as a stand-alone application, and releases additional virus features. The virus stores the image of this file in compressed form, so it occupies less than 2K in the virus body. The virus uses a “aPLib” compression method for these data as well as in other cases (in its plugins).
While installing memory resident, the virus scans system drivers for AVP9* and SPID* drivers (anti-virus monitors), and patches them so that they are not able to open files for virus scanning. It seems that this routine has a bug that causes system error when the virus patches AVP Monitor, and the virus is not able to install itself to the system as a result.
Infecting EXE files
The virus’ IFS API hooker intercepts three types of file-access functions: reading/modifying file attributes, file opening and renaming. In all these cases, the virus passes control to the infection routine.
When an PE EXE file is accessed, the virus checks its internal format and infects to the file end - the virus writes itself to the end of last file section by increasing its size. In some cases when the file has a large enough Fixup section, the virus disables this section and writes itself into it. In this case, the file size is not increased.
To gain control when infected files are executed, the virus does not touch the program’s start address, but patches the file entry routine. The virus uses “Entry Point Obscuring” technology: it scans file-entry code, and overwrites at some position with the CALL_Virus instruction.
Infecting Windows help files (.HLP)
While infecting a Windows HLP file, the virus creates a script routine in there, which is activated each time this help file is accessed by the Windows help system: the virus modifies the internal HLP file structure, adds its script to the “SYSTEM” area, converts its code to a polymorphic start-up routine and includes it into the script.
By using a trick, the virus script forces the Help system to execute specially prepared data as a binary Windows32 program, and these data are included in one of the instructions in the virus script. These data themselves are the “start-up” polymorphic routine that builds the main virus code and executes it as a Windows32 application. The virus installation routine takes control, and installs the virus into the system as described above.
Infecting WSOCK32.DLL
While infecting the WSOCK32.DLL library, the virus gets “send” function and patches it with a short routine that activates the memory resident virus copy to send the virus to the Internet. When an infected WSOCK32.DLL is loaded, the virus filters data that are being sent, and when messages are sent out, the virus appends to them an infected attachment. If a message already has an attachment, the virus appends its attachment anyway, and the message, as result, has two or more attached files.
The virus’ attached file is a Win32 PE executable with the X-MAS.EXE name. A virus routine performs a selection from six possible name variants depending on the current month, but fails, and as a result, the file name is always X-MAS.EXE. The copmlete list of names appears as follows:
I-WATCH-U BABILONIA X-MAS SURPRISE! JESUS BUHH CHOCOLATE

This file itself is about 17Kb in length (6Kb of host file and 11Kb of virus code, the virus does not infect files with length less than 8Kb, but it makes an exception exactly for this file that goes to the attachment). When this file is run, the virus installs into the system and returns control to the host program. This program then opens all files in the current directory, Windows, and Window system directory. The virus resident copy is already installed, and as a result, PE EXE files in these directories are infected.
The host file then displays two fake messages:
Loader Error
API not found!

Loader Error
Windows xx required!
This program will be terminated.

where ‘xx’ is ‘95′ or ‘NT’ - under Win9x ‘NT’ is displayed, under WinNT - ‘95′.
Additional components and plugins
When the virus is installing into the system, it creates the C:\BABYLONIA.EXE file and writes a Trojan program (or better to name it a virus backdoor) to there. This is stand-alone program that is not linked with the virus by code or calls. The virus never infects it - this file is about 4Kb of size, and the virus does not infect files less than 8Kb in length. This additional Trojan program is more functional than the “parent” virus.
When the BABYLONIA.EXE file is executed, it regiters itself as a “service process” (i.e., not visible in the task list). It then copies itself to the Windows system directory with the KERNEL32.EXE name (name-game with a standard KERNEL32.DLL Windows library), and registers this file in the auto-run section in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The Trojan then connects to hackers’ Web site based in Japan and gets the “vecna/virus.txt” from there. This file contains a list of additional files. The Trojan then downloads these files one-by-one and processes them. In case there is no connection to the Internet, or this site or these files are not accessible, the worm stays in the Windows memory, and each minute tries to connect fo the site and get these files. When files are downloaded and processed, the Trojan exits.
The files on the hackers’ Web site have a special format - header ID stamp “VMOD”, then version stamp, and address of the “main” routine in the file. These “main” routines in files are Win32 programs, the virus locates them and calls to there. As a result, these data files from the hackers Web site are downloaded and executed as “virus plugins”, and by using these plugins, the virus author is able to operate with infected computers as he wishes - upgrade the virus, installs trojans and backdoors, corrupt data, etc.
At the moment, there were four “plugins” located. The first one with the DROPPER.DAT name creates the C:\INSTALAR.EXE file, writes a program to there, executes it and deletes the file. This EXE file is the same as is sent in attached files. So, if the system is disinfected from virus copies, but the Trojan component is installed on the computer, it will download and reinstall the virus on the system.
The second file (GREETZ.DAT) checks the date and time and in January starting from the 15th, from 5:00 till 20:00 local time, writes to the C:\AUTOEXEC.BAT file the set of commands that display the following message:
W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
—
Eu boto fogo na Babilonia!

The third plugin (IRCWORM.DAT) installs to the system an mIRC worm that spreads via mIRC channels as “2kBug-MircFix.EXE” and “2kbugfix.ini” files. (this was not tested in the lab, but it seems the virus has a bug here and the mIRC worm cannot spread).
The fourth plugin (POLL.DAT) informs the virus’ author about an infected computer: it sends a message to “babylonia_counter@hotmail.com”, the message text appears as follows:
Quando o mestre chegara?

These messages are not intercepted by the virus’ resident copy, and they are not infected by an infected attachment. To prevent duplicate sendings, the virus creates the “05_12_99″ file in the Windows system directory, and if this file already exists, the plugin exits with no e-mail messages sent.

Details
Win95.Atom.4790

It is not a dangerous memory resident parasitic Win95/98 virus. By using a programming trick it jumps to Windows device driver programs level, stays memory resident as Windows VxD driver, hooks Windows IFS API (file access) functions, and infects PE EXE files that are opened. While infecting the virus creates at the end of file a new file section with “ATOMIC99″ name, writes its code to there and modifies program’s startup address.
The virus has a payload routine. While installing memory resident it changes the “arrow” state of mouse icon with an image of Bill Gates. To do that the virus creates this image on the C:\ drive in the FILE.CUR file and registers it in the system registry in the key:
HKEY_USERS\.Default\Control Panel\Cursors: Arrow = C:\FILE.CUR

The virus also has the text string:
[Windows Forever,Windows Voor Altijd 199x-199x]

Details
Win95.Arianne

This is a harmless, non-memory resident parasitic Win9x virus. It searches for PE EXE files in the current directory, then writes itself to the end of the file. The virus does not manifest itself in any way. It contains the text strings:
Arianne1 virus - 06/98 -iKx-Industries
.t00fic

Details
Win95.Apop

It is not a dangerous memory resident parasitic virus. It replicates under Win9x systems only. The virus stays in Windows memory as a VxD driver, hooks file operations (IFS), and then infects PE EXE files that are being opened.
While infecting a file the virus writes itself to “caves” in file body, if there are such ones. The infection method looks similar to the “Win95.CIH” virus: the virus body is split to blocks that are stored at the end of PE sections, if there are “caves” of enough size.
Depending on month and its internal counters the worm ejects CD drive.

Details
Win95.Anxiety.1823

This is a dangerous memory resident (as VxD drivers) parasitic virus. It’s 90% similar to Win95.Harry virus. Like Harry, Anxiety infects NewEXE PE files (Win95). When an infected file is executed, the virus scans the Win95 kernel for free space (in VMM driver), copies itself to there and hooks IFS API. When NewEXE files are opened, the virus infects them. While infecting the virus writes itself to the end of the file and modifies the NewEXE header to take control when the infected file is executed.
This virus contains the text strings:
Anxiety.Poppy.II by VicodinES
allfeel the pain, mine not yours!
all alone and I don’t understand
a cry for help and no one answers
will I last for more than a week
will I taste the gunpowder
can I end it all and make it easy
is it sick to ask | is it safe to cry
will I be gone soon
will I last
will you care
will I?
–
if you don’t hear from me in a while -
say a prayer for me because I have left, never to return.
–
peaceful goodnight, hopefully…
Vic
–

Details
Win95.Altar.797

It is a very dangerous memory resident parasitic Windows virus. It replicates under Win95/98 only and infects PE EXE files (Windows executables) that are opened. While infecting the virus increases the size of last file section and writes itself to there. To stay memory resident the virus jumps to VxD mode, allocates a block of Windows memory, copies itself to there and hooks IFS API.
The virus has bugs and often halts the system. Depending on its random counter the virus erases data on C: drive - it overwrites randomly selected disk sector with the text:
[Altar] by T-2000 / Immortal Riot

The virus also contains the text string:
Awaiting the sacrificeall

Details
Win64.Rugrat.a

THe very first Win64 virus searches for and infects PE files.
Rugrat adds its code to the bottom of the infected file.
Rugrat does not infect files protected by SFC.
This virus was written by the same coder as Win32.Chiton. The infection method is the same.
Rugrat.a contains errors.
Contains the following text:
Shrug - roy g biv
06/05/04
*4U2NV*

Details
Win32.Zomby

This is a memory resident parasitic Win32 virus with backdoor abilities. The virus infects PE EXE files only and writes itself to the beginning of files while infecting. To return control back to the host file, the virus disinfects it to temporary file and runs it.
When an infected program is started, the virus extracts its pure code from the infected file and copies it to the Windows system directory with the KERNL32.EXE name, and registers it in the system registry in the auto-run section:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run “KRNL”=”Kernl32.exe”

The virus then runs two processes (threads) and stays in Windows memory as a hidden application (service). The first virus-process extracts and executes the host file, and the second one “sleeps” for 30 minutes, then scans local drives starting from C:\, and looks for PE EXE files in the directory tree and infects them.
The backdoor function is the main virus routine. It opens an Internet connection, listens for specific commands and then executes one of the requested functions: sends system information and passwords, receives and runs a file, gets/receives files, creates/removes subdirectories, etc.
Before running its backdoor abilities, the virus also informs its host about its presence on the computer. To do this, the virus connects to one of three Web pages:
Page name User name Password

www.chat.ru zo01 zo01zz
ftp.geocities.com zzo01 ivoryox17
upload.digiweb.com zo01 zo01zz

then gets system information, encrypts it and sends to these pages as GIF files. The system information includes: RAS (Remote Access Service) data, computer name and Internet address, user name, and other system info such as a list of logical drives, free disk space, etc.
The virus contains the following text strings:
ZOMBY1 v.1.08 05-24-99
This program is only for educational purposes.
The author takes no responsibility for anything
anyone does with this program.

Details
Win32.Zaprom.2756
Zaprom is a memory resident parasitic Win32 virus that uses a nonstandard way of infection and memory installation.
The Zaprom virus affects PE EXE files only. It infects them in the ‘middle’ of the files. After conducting some tests to determine if a file can be infected, the virus reads a block in the file code section, appends encrypted virus code, and compresses and writes back to the code section (to the middle of the file). As a result the file length does not grow during infection.
When the infected file is run the virus infects the “Shell32.dll” file in the Windows system directory. The virus then hooks two Windows API functions (file opening and execution) and infects .EXE and .DLL files that are accessed by these functions.
The Zaprom virus does not manifest itself. It contains the text string:

PR0Mi$E$/ZLA$H

Details
Win32.Younga.2384.a

It is a dangerous per-process memory resident parasitic encrypted Win32 virus. When infected file starts the virus searches for .EXE and .SCR Win32 executable files in Windows directory and writes itself to the end of the file.
The virus then hooks CreateFileA function that is imported by host program, stays as “background” thread of infected process, and then infects files in directories where any file is being opened.
In six month after infection the virus searches for .TXT files in victim directory, looks for the text “Microsoft” in there and replaces it with “Youngary”.
The virus contains the “copyright” text strings:
< Yonggary! by Bumblebee >

Details
Win32.Yerg.9412

This is a relatively harmless, non-memory, resident, parasitic, encrypted Win32 virus. It searches for Win32 EXE applications (PE EXE files) with .EXE and .SCR file name extensions, then infects them.
Upon being run from the A: drive (floppy disk), the virus looks for victim files in the Windows system directory and in all parent directories.
Upon being run from any other drive, the virus looks for files in the current directory and in all parent directories, then on the A: drive.
While infecting, the virus writes itself to the end of the file.
Payload
On the 18th of any month, the virus displays the following message box:

The virus then changes the mouse cursor image (by dropping the new image to the UFO.ANI file and loading the cursor from there - the new image is UFO-like), and then opens the Web page “http://www.abduct.com” that is dedicated to UFOs.
The virus code also contains the following text strings:
YERG
I LOVE YOU DEE
FORGIVE ME DEE
you make me so happy!
if you see this Dee online in the desc i love you
Cell [MATRiX]

Details
Win32.Xorala
Xorala is a harmless non-resident parasitic Win32 virus. It recursively searches for Win32 PE EXE files in the Windows directory and the Windows System directory. It infects files by adding a new section named XOR at the end of the last section of the host, and it appends the virus code to the host. The Xorala virus has an infection size of 2,048 bytes. Files infected once will not be infected a second time.
The Xorala virus contains the following strings in its code. These strings can also
be found in infected files:

-= XOR 2009 Valhalla =- Assembled 1997 .. Activated 07.2002 - devoted for peace and harmony in universe against war, racism, terrorism and cruel brutality .. remember .. life is the most important thing - not money .. it’s time for a revolution NOW all.

Details
Win32.Weird

It is not a dangerous memory resident parasitic Win32 virus. It writes itself to the end of PE EXE files (Windows executable) by increasing last file section and modifying PE header fields. The virus copy in infected files consists of two parts. First part (starter) is a short routine (about one kilobyte of code and data), the second part is the main virus code (about 10Kb of size) encrypted with silly encryption loop.
When the infected file is executed, the starter takes control, decrypts the second part of virus code, drops it to Windows directory as a PE EXE file with random name and executes it. The main virus instance stays memory resident as a hidden Windows application, runs a low priority thread that periodically scans drives’ directory trees, looks for PE EXE files and infects them.
The virus also affects the EXPLORER.EXE file. It copies it with the EXPLORER.E name, infects this copy and writes the [rename] instruction to the WININIT.INI file to replace original EXPLORER.EXE with infected copy on next Windows startup.
The virus has a backdoor ability. When it is active as a Windows application it opens Internet connection and waits for specific calls from there. The virus has a lite list of supported commands comparing to other known backdoors, but it allows to upload, download, execute and delete files on the infected machine from remote host.
The virus contains the “copyright” text:
#Coded by Weird#

Details
Win32.Wanhope.1834

Wanhope is a harmless non-resident parasitic Win32 virus that recursively searches for Win32 PE EXE files in the Windows directory, the Windows System directory and the upper level directories.
While infecting the virus writes itself to the end of the file.
The virus does not manifest itself in any way.
Wanhope has a bug and can corrupt files while infecting them. Corrupted files will perform illegal operations while starting.

Details
Win32.Vulcano

It is a memory resident parasitic Win32 virus. The virus stays in Windows memory as an application, hooks file searching and access functions, then infects PE EXE files that are intercepted.
The virus uses polymorphic engine to encrypt its body in infected files, as well as “entry-point-obscuring” (EPO) trick to hide its entry routine (to avoid trivial detection).
The virus uses anti-debugging and anti-antivirus tricks.
The virus contains “copyright” text string:
Win32.Vulcano by Benny/29A