RealTime IT News

First Java Virus Brewed

The Symantec Antivirus Research Center (SARC) this week reported the first known instance of a Java-based virus.

Strange Brew, as it's called, is what's known as a parasitic virus. A parasitic virus attaches itself onto a host program so that the host program is still capable of functioning after it is infected. The Strange Brew virus attaches itself to ".class" files, which are the executables that make up Java applets and applications.

The virus cannot be spread with the Internet Explorer or Netscape Navigator Web browsers because the infected applets will always fail the built-in security checks of the browser, and are promptly "killed."

The Strange Brew virus is also a direct action virus that, once it has infected a file, will attempt to infect other files. When it is finished infecting files, it yields control to the host application and terminates itself.

Once the virus has located a file that is infected by Strange Brew, it will load regions of the infected file into memory, and then start the second phase of the infection process. At this point the virus looks for new files to infect, and it inserts itself into these new "hosts."

Strange Brew infects the new host .class files by making a new section in the file and adding its own program logic to this section before all of the host file's original program logic sections. The virus will try to infect every suitable Java file in the directory it resides in before turning over control to the host application, increasing each infected file's size by roughly 3,890 bytes. It also changes the directory date and time stamp of each infected file.

SARC has provided users with a method of detecting the new Java virus by posting the virus definitions today on the SARC download page.

For more information, visit see the Strange Brew Virus information on the site.