W95/Beast, W95/Beast.41472.A, Macro.Word97.Beast
Copies itself in Office documents and it can open and close the CD-Rom drive.
The virus creates a file in System or System32 directory. It chooses a random name and uses it, but with .exe extension, to be activated. For example: it uses Shell.dll and names its copy Shell.exe. This happens when an infected document is opened and the inserted virus is activated.
Then, the registry entry is made:
and a copy of the file. The new file is hidden. The worm has a timer and issues a WM_TIMER notice every second. Every notice is marked and then the file is loaded. Also, WM_Close/WM_Destroy notice can be sent, which deactivates the virus.
First, the program makes an update in the registry
"SOFTWARE\VB and VBA Program Settings\3BEPb\Startup" with the actual time. When this entry is deleted, it reappears in a second. The infected program checks for an open document (Office 97), and if available, a code module and an attached file named "I.EXE" are created. The virus uses OLE (Object Linking and Embedding). The icon of the infected attachment is hidden, so that it is not accessible through the normal document. It must be opened with WordPad, to have access to "I.EXE". All signs and AutoStart codes are encripted. The language is based on XOR. The infection can open and close the CD-ROM drive.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二