Virus Database

Java.BeanHive

Description Java.BeanHive

The technology used in this virus has several advantages. This multi-component way of infection allows to the virus to hide its code in infected files: the length of files grows by small value, and after brief look the inserted virus code seems to be harmless.
The combination starter-main also allows to virus writer(s) to "upgrade" the virus with new versions just by replacing virus main code on their server.
It is necessary to note, that the virus is able to replicate only under very limited conditions. It is absolutely not able to infect the system being run as Java applet under any of popular Web browsers. The standard security protection cancels any attempts to access disk files, or ever to download remote Java file.
The virus is able to spread only being run as a disk file as Java application by using Java machine.
Technical The virus starter is a short Java program about 40 lines of code. When it takes control, it connects to the remote Web server, downloads main virus code that is saved there in the BeanHive.class file and runs it as a subroutine.
The main virus code is also divided into six parts and stored in six different Java files. These files are downloaded from Web server and run in case of need:
BeanHive.class : searching for files in directory tree
+--- e89a763c.class : file format parsing
|--- a98b34f2.class : file access functions
|--- be93a29f.class : preparing file for infection (part1)
|--- c8f67b45.class : preparing file for infection (part2)
+--- dc98e742.class : inserting virus starter into victim file

While infecting the virus parses internal Java formats, writes into the file the starter's code as a "loadClass" subroutine and adds to file constructor's code the call for this subroutine: loadClass("BeanHive"). The passed parameter ("BeanHive") points to the name of remote file (on the Web server) with the main virus code.

Check other viruses! Be aware! Use Antiviral Software

MMAND.2048

Description MMAND.2048

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files (except COMMAND.COM) that are executed. The virus contains the text string: "MMAND.COM", this is the only reason to name that virus.

MMCA.505

Description MMCA.505

These are memory resident parasitic viruses. They hook INT 21h and infect COM and EXE files that are executed. They contain texts in Russian.
MMCA.505,882
These are harmless viruses, they do not manifest themselves in any way. They write themselves to the end of COM and EXE files.
MMCA.1131
It is encrypted virus. It writes itself into the middle of COM and EXE files. The virus has a bug, and it can halt the system while infecting a file, or corrupt the file.

Home