Virus.Java.StrangeBrew

Class Virus
Platform Java
Description

Technical Details



This is the first known virus infecting Java files (classes). It was found
in August 1998. It is able to replicate itself only in case the access to
disk files is allowed (the disk access Java functions are allowed), i.e.
the infected file is run as native Java application, not as an applet. The
virus is not able to replicate, if it is run under known browsers – the
system will display a warning message and terminate the virus.


When the virus is run as the application, it gets the possibility to call
disk access Java functions (files searching, opening, reading, writing,
closing). By using these functions the virus runs its files searching and
infection routines: it scans the current directory for not infected Java
classes and infects them. While infecting the virus opens files as binary
data files, reads headers and parses internal Java format.


Before running its infection routine the virus has to access its own code.
That is necessary to do it because the virus has to copy this code to other
Java files while infecting them. The virus is not able to access its code
in the memory – there are no such functions in Java language, so it scans
the current directory for its own file (host file), parses its format,
scans the file for virus code and reads it.


The virus then searches for other Java classes (the files with .CLASS name
extension), parses them, writes its code into the file and inserts a call
to the main virus function to the main class routine.


The virus function has the Strange_Brew_Virus(), it was the reason to name
the virus “StrangeBrew”. The “Strange_Brew_Virus” string is also visible in
infected files when looking at them by any text editor.