Win95/Beast is a Windows virus written in Delphi. It operates as a
hybrid between a macro and program virus.
The virus randomly selects a DLL name in the SYSTEM or in the SYSTEM32
directory and copies itself under that name with an .EXE extension.
For instance it selects SHELL.DLL and copies itself as SHELL.EXE into
the same directoy. This happens when an infected document is opened
since the embedded virus code is executed then. Next Beast modifies
the RUN field in the registry to include this EXE for execution. The
running copy of the code is terminated then and the new copy is
executed. Then the new copy creates a hidden Window. This Windows has
the 3BEPb name and can be detected by a utility called "Spy" which is
available in MS development kits. The virus also creates a timer which
will generate a WM_TIMER message in each second. The window procedure
will handle the incoming timer messages and calls the infection
module. Also this Window handles other WM messages to stop the timer
and the Window when WM_CLOSE/WM_DESTROY is called. (Therefor the virus
can be deactivated by sending a WM_CLOSE message to the 3BEPb Window.)
The timer is stopped during the infection time and later it is
restarted.
This module first updates the registry "SOFTWARE\VB and VBA Program
Settings\3BEPb\Startup" with the actual time. If you delete this entry
from the registry it will appear again after one second. The infection
module checks if an active object is available (opened in Office97)
and if it detects one it will drop a codemodule and an embedded
package into that document with the name I.EXE and a short autoopen
macro. The virus uses OLE functions for this. It sets the icon for
that file so it is not accessable from the document, you have to open
the file with WordPad to see the I.EXE there. All strings, and the
autoopen macro's binary code is encrypted in the data area of the
virus. The encryption is based on a shifted XOR key. Each characters
of the encrypted areas are decrypted by using XOR with the actual
position of the character in the string, starting from 1. When one
infection is ready and a CR-ROM device is detected earlier the virus
opens and closes the CD-ROMs door randomly. One document can get
multiply I.EXE files. The virus seems to fail to recognize itself in
documents correctly.
As long as the window procedure of the virus is active, the VBA editor
can not be accessed. It can be executed and appears for a second, but
then the virus closes the editor from its window procedure.
