Experts warn of new, updatable virus

W95.Babylonia uses the Web to upgrade itself -- and could pave the way for smarter viruses with heavy payloads.

Anti-virus firms are warning of a new computer virus that spreads through Internet chat rooms and updates itself automatically with files from the Web.

"This is the tip of the iceberg," on Tuesday said Eric Chien, senior researcher for anti-virus software maker Symantec Corp., who stressed that the virus' capacity to upgrade itself makes it a concern. "Virus writers again are using more network-centric ideas to create viruses."

Symantec (Nasdaq: SYMC) has only encountered two dozen reports of the virus, dubbed W95.Babylonia, since it was discovered on Friday, Dec. 3. Another security firm, Computer Associates Inc. (NYSE: CA), has only encountered 15 reports so far. Currently, the virus infects executible (.EXE) and help (.HLP) files.

While the computer virus has not spread widely and currently has no dangerous payload, anti-virus experts fear that a better-written clone could be more effective in the future.

Or, just as bad for users, the virus writer could decide to add a new payload to the virus. Unique in that it looks at a virus-exchange Web site in Japan for updates, Babylonia is actually just an 11KB program that spreads itself when an infected file is opened and transfers updates from the Web when the host machine is online.

Virus downloads four modules
The current version downloads four modules from the Japanese virus-exchange site. The first module is just another copy of the virus, which could update the virus. The second module is a text file that replaces the autoexec.bat file on the host computer with a new one containing the message:

W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
Eu boto fogo na Babilonia!

The text identifies the writer as Vecna, which Symantec claims is a member of a Latin America virus group known as 29A (or 666 in hexadecimal). The Bubbleboy virus was allegedly created by Zulu, another member of the 29A group.

The third module sends an e-mail message to a Hotmail account established to count the number of computers infected by Babylonia. And the fourth module contains code that causes infected users who use mIRC chat software to send a copy of the virus to everyone in the chat room using the DCC file transfer feature of mIRC.

In most cases, the chat software will notify the recipients that someone is sending them a file. However, users that have DCC downloading set to "automatic" will receive no notification. Unless the file, which parades as a Y2K bug fix (not coincidentally called Y2k bug fix.exe), is run, the user's computer will not be infected with the virus.

However, any or all of these aspects of the virus could change. The writer could add a new set of updates to the Web to change the copies of the virus already infecting users' machines, tweak the methods the virus uses to spread, or even add a destructive payload.

"Tomorrow, it could be using Outlook to spread," said Symantec's Chien, referring to a number of recent viruses, including Melissa and ExploreZip, that have spread by sending themselves using Microsoft (Nasdaq: MSFT) Outlook and its address book.

Ironically, the ability to update a virus resembles the LiveUpdate technology that Symantec uses to keep its virus scanner in touch with the times. The ability to upgrade is one that has been used by the software industry for a few years to fix applications over the Net.

Problematic for home users
"At this point, it is a proof of concept," said Narender Mangalam, director of security products for Computer Associates. "It spreads through chat rooms, it will mainly be a problem for home users, who tend to be more lax about security."

The current form of the virus can be detected by searching for a file called Babylonia.exe on any questionable computer. In addition, computers that show the aforementioned message at start up should be considered infected.

Just remember, however: Tomorrow, all bets are off -- the symptoms could change.