| Description:
|
Details
Java.StrangeBrew
This is the first known virus infecting Java files (classes). It was found in August 1998. It is able to replicate itself only in case the access to disk files is allowed (the disk access Java functions are allowed), i.e. the infected file is run as native Java application, not as an applet. The virus is not able to replicate, if it is run under known browsers - the system will display a warning message and terminate the virus.
When the virus is run as the application, it gets the possibility to call disk access Java functions (files searching, opening, reading, writing, closing). By using these functions the virus runs its files searching and infection routines: it scans the current directory for not infected Java classes and infects them. While infecting the virus opens files as binary data files, reads headers and parses internal Java format.
Before running its infection routine the virus has to access its own code. That is necessary to do it because the virus has to copy this code to other Java files while infecting them. The virus is not able to access its code in the memory - there are no such functions in Java language, so it scans the current directory for its own file (host file), parses its format, scans the file for virus code and reads it.
The virus then searches for other Java classes (the files with .CLASS name extension), parses them, writes its code into the file and inserts a call to the main virus function to the main class routine.
The virus function has the Strange_Brew_Virus(), it was the reason to name the virus "StrangeBrew". The "Strange_Brew_Virus" string is also visible in infected files when looking at them by any text editor. |
