Re: StrangeBrew - Java virus

Mikko Hypponen (Mikko.Hypponen@DataFellows.com)
Thu, 13 Aug 1998 11:38:49 +0300

Message-Id: <3.0.5.32.19980813113849.03ea3870@intra.datafellows.com>
Date: Thu, 13 Aug 1998 11:38:49 +0300
To: Marianne Mueller <Marianne.Mueller@Eng>
From: Mikko Hypponen <Mikko.Hypponen@DataFellows.com>
Subject: Re: StrangeBrew - Java virus
In-Reply-To: <libSDtMail.199808121529.25836.mrm@shorter>

Marianne Mueller:
>I have a PGP key registered at MIT. Some people don't like my key
>since it isn't signed.

Your key is fine by me. I'll be sending the sample in the next message.

We'd be interested in your analysis of the virus.

Also, if you're going to make some publicity with this, it would be nice
you'd mention that the virus was discovered and initially analysed at Dat=
a
Fellows. We have no plans to make any pr about this.

Here are some notes from us:

Virus.class (Application, cannot be run as an applet.)
------------
- Selects current working directory
- Gets directory listing
- For each readable and WRITEABLE .class file which length modulo 101 is
NOT zero (self-recognition to avoid multiple infections), infection
function is called

Infected.class
--------------
Virus adds call to it's own code as the first line of "getParameter" meth=
od
of infected class. Note that "getParameter" is an applet method (get para=
ms
from HTML file), which can sometimes be present in applications too
(applets which can be run as applications)! So it seems that the virus
infects especially applets even though it itself is an application. On th=
e
other hand, infected applet should not be able to infect other class file=
s
(normally no file write access rights).=20

BUT if run locally using appletviewer then infected file (applet) could
spread virus, because appletviewer allows writing to local files.

Size is little less than 4kB. Virus appends some carbage bytes to host
files. Virus does not create new .class files, it searches for existing
.class files and modifies them to include a copy of itself. When the
"infected" .class file is executed, the virus gets control and then passe=
s
control to the original code in the file. The viral code is inserted in t=
he
middle of the file and the header area is patched to make this work.

This virus does not do anything else except spread. Doesn't seem to be a
realistic threat.

--=20
Mikko Hermanni Hypp=F6nen - Mikko.Hypponen@DataFellows.com
Data Fellows Group, PL 24, FIN-02231 Espoo, Finland
Telephone +358 9 859 900, fax +358 9 8599 0599
http://www.DataFellows.com/staff/hermanni/