Virus Characteristics

This virus is a Java program, which replicates under Java machine and infects other Java files (applications). This is the second known Java virus after
{"Java.StrangeBrew":Java_StrangeBrew}.

The virus has very unusual way of spreading. It is divided into two parts: "starter" and "main". While replicating the virus infects Java files only by its starter, and the main virus code presents on a remote Web server only (on the Web server of hacker's Codebreakers group).

When an infected Java application runs, the virus started reads the main virus code from this remote server, and executes it. The main virus routine then searches for Java files in the current directory and all subdirectories, and infects them with the virus starter. The main part of virus code is not copied to victim files, and does not present on the infected computer in any file form. It only runs on a computer as Java program, and there are no traces of it when the virus releases control to the system.

As a result, while infecting the virus copies just a small part of its code. The main virus routines are stored only on a remote server.

The technology used in this virus has several advantages. This multi-component way of infection allows to the virus to hide its code in infected files: the length of files grows by small value, and after brief look the inserted virus code seems to be harmless.

The combination starter-main also allows to virus writer(s) to "upgrade" the virus with new versions just by replacing virus main code on their server.

It is necessary to note, that the virus is able to replicate only under very limited conditions. It is absolutely not able to infect the system being run as Java applet under any of popular Web browsers. The standard security protection cancels any attempts to access disk files, or ever to download remote Java file.

The virus is able to spread only being run as a disk file as Java application by using Java machine.

The virus starter is a short Java program about 40 lines of code. When it takes control, it connects to the remote Web server, downloads main virus code that is saved there in the BeanHive.class file and runs it as a subroutine.

The main virus code is also divided into five parts and stored in five different Java files. These files are downloaded from Web server and run in case of need:

BeanHive.class : searching for files in directory tree
e89a763c.class : file format parsing
a98b34f2.class : file access functions
c8f67b45.class : preparing file for infection
dc98e742.class : inserting virus starter into victim file

While infecting the virus parses internal Java formats, writes into the file the starter's code as a "loadClass" subroutine and adds to file constructor's code the call for this subroutine: loadClass("BeanHive"). The passed parameter ("BeanHive") points to the name of remote file (on the Web server) with the main virus code.