Java.BeanHive
Description Java.BeanHive
The technology used in this virus has several advantages. This multi-component way of infection allows to the virus to hide its code in infected files: the length of files grows by small value, and after brief look the inserted virus code seems to be harmless.
The combination starter-main also allows to virus writer(s) to "upgrade" the virus with new versions just by replacing virus main code on their server.
It is necessary to note, that the virus is able to replicate only under very limited conditions. It is absolutely not able to infect the system being run as Java applet under any of popular Web browsers. The standard security protection cancels any attempts to access disk files, or ever to download remote Java file.
The virus is able to spread only being run as a disk file as Java application by using Java machine.
Technical The virus starter is a short Java program about 40 lines of code. When it takes control, it connects to the remote Web server, downloads main virus code that is saved there in the BeanHive.class file and runs it as a subroutine.
The main virus code is also divided into six parts and stored in six different Java files. These files are downloaded from Web server and run in case of need:
BeanHive.class : searching for files in directory tree
+--- e89a763c.class : file format parsing
|--- a98b34f2.class : file access functions
|--- be93a29f.class : preparing file for infection (part1)
|--- c8f67b45.class : preparing file for infection (part2)
+--- dc98e742.class : inserting virus starter into victim file
While infecting the virus parses internal Java formats, writes into the file the starter's code as a "loadClass" subroutine and adds to file constructor's code the call for this subroutine: loadClass("BeanHive"). The passed parameter ("BeanHive") points to the name of remote file (on the Web server) with the main virus code.
Check other viruses! Be aware! Use Antiviral Software
Alex.368
Description Alex.368
This is a nonresident harmless virus. It infects COM files in a standard way (except COMMAND.COM). The virus contains the text string:
The One Night Virus (C) Alex Hacker *.COM
The virus is not memory resident but copies small resident programs into the interrupt vector table. The first program erases text from screen by nice method some times after installation. The second program writes byte FEh to port 60h (?).
ALEX.599
Description ALEX.599
It is a harmless nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. It contains the text string:
ALEX PATH=*.com
|