Subject: - VIRUS ALERT!


December 7, 1999
_____________________________



DESCRIPTION OF W95.BABYLONIA

W95.Babylonia was discovered on Dec 6, 1999. The virus was created by
a member of the 29A virus writing group. It was originally posted to
an Internet news group as a Windows Help file named serialz.hlp, and
appeared to be a list of serial numbers for commercial software. When
this Windows help file is launched, it will introduce the virus into
the computer system. Symantec AntiVirus Research Center (SARC) has
received over 20 submissions of this new virus as of Dec 6, and
believes it to be spreading rapidly worldwide.

W95.Babylonia is a very complex virus that propagates mainly to other
computer users via MIRC. MIRC is a text based communication
application used to chat over the Internet. When an infected user
logs onto MIRC, it will automatically send the virus to everyone
within the same MIRC chat room as the infected user. The virus will
be sent as a Y2K bug fix. Once this file (Y2K bug fix) is executed,
it will infect other 32-bit EXE program files as well as Windows Help
files.

The virus will try to modify the system to display the following
message when booting the infected computer:

    W95/Babylonia by Vecna (c) 1999
    Greetz to RoadKil and VirusBuster
    Big thankz to sok4ever webmaster
    Abracos pra galera brazuca!!!
    ---
    Eu boto fogo na Babilonia!

The virus will also send an email to babylonia_counter@hotmail.com to
track infected computers.

The most interesting part of the virus is the ability to download the
viral components of the virus from the Internet. When the virus is
executed, the virus will wait for an Internet connection. When it
detects that the computer can access the Internet, it will download
several files from a web server in Japan. Because the virus has such
capability, it is possible for the virus writer to update the virus
centrally.



DESCRIPTION OF W32.HLLP.Soft6

W32.HLLP.Soft6 is a Windows NT specific worm that propagates over
Windows NT networks and displays a large message "Hi 2000!" on the
screen. This message is very large and very noticable.  SARC believes
this worm probably cannot spread to different corporations quickly
because it only spreads via network and does not spread via email.
Remember, monitor the SARC site for info on W95.Babylonia. When
updates are ready, updating for one protects you from both.


Alan Bright

Bright Instrument Co.Ltd.
St Margarets Way
Huntingdon
PE18 6EB
England

Tel No:+44 (0)1480 454528
Fax No:+44 (0)1480 456031
Email: AlanBright@brightinstruments.com
Web Site: www.brightinstruments.com