The Symantec Antivirus Research Center (SARC) this week
reported the first known instance of a Java-based virus.
Strange Brew, as it’s called, is what’s known as a parasitic virus.
A parasitic virus attaches itself onto a host program so that the host
program is still capable of functioning after it is infected. The Strange
Brew virus attaches itself to “.class” files, which are the executables
that make up Java applets and applications.
The virus cannot be spread with the Internet Explorer or Netscape Navigator
Web browsers because the infected applets will always fail the built-in
security checks of the browser, and are promptly “killed.”
The Strange Brew virus is also a direct action virus that, once it has
infected a file, will attempt to infect other files. When it is finished
infecting files, it yields control to the host application and terminates
Once the virus has located a file that is infected by Strange Brew, it will
load regions of the infected file into memory, and then start the second
phase of the infection process. At this point the virus looks for new files
to infect, and it inserts itself into these new “hosts.”
Strange Brew infects the new host .class files by making a new section in
the file and adding its own program logic to this section before all of the
host file’s original program logic sections. The virus will try to infect
every suitable Java file in the directory it resides in before turning over
control to the host application, increasing each infected file’s size by
roughly 3,890 bytes. It also changes the directory date and time stamp of
each infected file.
SARC has provided users with a method of detecting the new Java virus by
posting the virus definitions today on the SARC download
For more information, visit see the Strange Brew Virus information on the site.