Classification

Category :

Malware

Type :

Virus

Aliases :

Beast

Summary

Win95/Beast is a Windows virus written in Delphi. It operates as a hybrid between a macro and program virus.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus randomly selects a DLL name in the SYSTEM or in the SYSTEM32 directory and copies itself under that name with an .EXE extension. For instance it selects SHELL.DLL and copies itself as SHELL.EXE into the same directoy. This happens when an infected document is opened since the embedded virus code is executed then.

Next Beast modifies the RUN field in the registry to include this EXE for execution. The running copy of the code is terminated then and the new copy is executed. Then the new copy creates a hidden Window. This Windows has the 3BEPb name and can be detected by a utility called "Spy" which is available in MS development kits.

The virus also creates a timer which will generate a WM_TIMER message in each second. The window procedure will handle the incoming timer messages and calls the infection module. Also this Window handles other WM messages to stop the timer and the Window when WM_CLOSE/WM_DESTROY is called. (Therefor the virus can be deactivated by sending a WM_CLOSE message to the 3BEPb Window.) The timer is stopped during the infection time and later it is restarted.

This module first updates the registry "SOFTWARE\VB and VBA Program Settings\3BEPb\Startup" with the actual time. If you delete this entry from the registry it will appear again after one second. The infection module checks if an active object is available (opened in Office97) and if it detects one it will drop a codemodule and an embedded package into that document with the name I.EXE and a short autoopen macro. The virus uses OLE functions for this. It sets the icon for that file so it is not accessable from the document, you have to open the file with WordPad to see the I.EXE there. All strings, and the autoopen macro's binary code is encrypted in the data area of the virus.

The encryption is based on a shifted XOR key. Each characters of the encrypted areas are decrypted by using XOR with the actual position of the character in the string, starting from 1. When one infection is ready and a CR-ROM device is detected earlier the virus opens and closes the CD-ROMs door randomly. One document can get multiply I.EXE files. The virus seems to fail to recognize itself in documents correctly.

As long as the window procedure of the virus is active, the VBA editor can not be accessed. It can be executed and appears for a second, but then the virus closes the editor from its window procedure.

Beast was found in the wild in February 1999.