The technology used in this virus has several advantages. This
multi-component way of infection allows to the virus to hide its code in
infected files: the length of files grows by small value, and after brief
look the inserted virus code seems to be harmless.
The combination starter-main also allows to virus writer(s) to “upgrade”
the virus with new versions just by replacing virus main code on their
It is necessary to note, that the virus is able to replicate only under
very limited conditions. It is absolutely not able to infect the system
being run as Java applet under any of popular Web browsers. The standard
security protection cancels any attempts to access disk files, or ever to
download remote Java file.
The virus is able to spread only being run as a disk file as Java
application by using Java machine.
The virus starter is a short Java program about 40 lines of code. When it
takes control, it connects to the remote Web server, downloads main virus
code that is saved there in the BeanHive.class file and runs it as a
The main virus code is also divided into six parts and stored in six
different Java files. These files are downloaded from Web server and run in
case of need:
BeanHive.class : searching for files in directory tree
+— e89a763c.class : file format parsing
|— a98b34f2.class : file access functions
|— be93a29f.class : preparing file for infection (part1)
|— c8f67b45.class : preparing file for infection (part2)
+— dc98e742.class : inserting virus starter into victim file
While infecting the virus parses internal Java formats, writes into the
file the starter’s code as a “loadClass” subroutine and adds to file
constructor’s code the call for this subroutine: loadClass(“BeanHive”).
The passed parameter (“BeanHive”) points to the name of remote file (on the
Web server) with the main virus code.