[iwar] Historical posting
From: Fred Cohen
From: fc@all.net
To: iwar@onelist.com
Mon, Jan 1, 1999
fc Mon Jan 1, 1999
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA15269 for iwar@onelist.com; Tue, 18 Apr 2000 05:21:43 -0700
To: iwar@onelist.com
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, Jan 1, 1999
From: Fred Cohen
Reply-To: iwar@egroups.com
Subject: [iwar] Historical posting
Date: Tue, 07 Dec 1999 23:06:22 -0800
From: cyberCrime@t...
Subject: Experts warn of new, updatable virus
Experts warn of new, updatable virus
By Robert Lemos, ZDNN
December 7, 1999 2:21 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2405495,00.html
Anti-virus firms warned users on Tuesday of a new computer virus that
spreads through Internet chat rooms and updates itself automatically
with files from the Web.
"This is the tip of the iceberg," said Eric Chien, senior researcher for
anti-virus software maker Symantec Corp., who stressed that the virus'
capacity to upgrade itself makes it a concern. "Virus writers again are
using more network-centric ideas to create viruses."
Symantec (Nasdaq: SYMC) has only encountered two dozen reports of the
virus, dubbed W95.Bablyonia, since it was discovered on Friday, Dec. 3.
Another security firm, Computer Associates Inc. (NYSE: CA), has only
encountered 15 reports so far. Currently, the virus infects executible
(.EXE) and help (.HLP) files.
While the computer virus has not spread widely and currently has no
dangerous payload, anti-virus experts fear that a better-written clone
could be more effective in the future.
Or, just as bad for users, the virus writer could decide to add a new
payload to the virus. Unique in that it looks at a virus-exchange Web
site in Japan for updates, Babylonia is actually just an 11KB program
that spreads itself when an infected file is opened and transfers
updates from the Web when the host machine is online.
Virus downloads four modules
The current version downloads four modules from the Japanese
virus-exchange site. The first module is just another copy of the
virus, which could update the virus. The second module is a text file
that replaces the autoexec.bat file on the host computer with a new one
containing the message:
W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
---
Eu boto fogo na Babilonia!
The text identifies the writer as Vecna, which Symantec claims is a
member of a Latin America virus group known as 29A (or 666 in
hexadecimal). The Bubbleboy virus was allegedly created by Zulu,
another member of the 29A group.
The third module sends an e-mail message to a Hotmail account
established to count the number of computers infected by Babylonia. And
the fourth module contains code that causes infected users who use mIRC
chat software to send a copy of the virus to everyone in the chat room
using the DCC file transfer feature of mIRC.
In most cases, the chat software will notify the recipients that someone
is sending them a file. However, users that have DCC downloading set to
"automatic" will receive no notification. Unless the file, which
parades as a Y2K bug fix (not coincidentally called Y2k bug fix.exe), is
run, the user's computer will not be infected with the virus.
However, any or all of these aspects of the virus could change. The
writer could add a new set of updates to the Web to change the copies of
the virus already infecting users' machines, tweak the methods the virus
uses to spread, or even add a destructive payload.
"Tomorrow, it could be using Outlook to spread," said Symantec's Chien,
referring to a number of recent viruses, including Melissa and
ExploreZip, that have spread by sending themselves using Microsoft
(Nasdaq: MSFT) Outlook and its address book.
Ironically, the ability to update a virus resembles the LiveUpdate
technology that Symantec uses to keep its virus scanner in touch with
the times. The ability to upgrade is one that has been used by the
software industry for a few years to fix applications over the Net.
Problematic for home users "At this point, it is a proof of concept,"
said Narender Mangalam, director of security products for Computer
Associates. "It spreads through chat rooms, it will mainly be a problem
for home users, who tend to be more lax about security."
The current form of the virus can be detected by searching for a file
called Babylonia.exe on any questionable computer. In addition,
computers that show the aforementioned message at start up should be
considered infected.
Just remember, however: Tomorrow, all bets are off -- the symptoms could
change.