Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

W97M/Beast, W32/Beast.41472.A

This virus is able of spreading in binary form and also as a macro virus. After opening an infected document it starts the attached executable binary part from the macro AutoOpen. This is 41472 bytes long and its name is I.EXE. The virus conceals its icon so that the user of Word does not see it. Then the virus decodes the encrypted texts and tries to install into memory an object with name 3BEPb (meaning “animal” in Russian). If the virus does not succeed it tries to install itself, and if even this is not successful it ends up its activity. If the installation was successful the virus chooses any file with extension DLL in the system directory Windows and creates file with same name but with extension EXE on the disk. Finally, it creates a record in registers, necessary for automatic execution of that file at the start of Windows. After a restart of the operating system a hidden window is created. Its procedure named 3BEPb infects documents by means of OLE API. In the time range between 21:35 and 7:12 it opens and closes doors of the CD drive approximately each 10 seconds.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.