Win95/Beast is a Windows virus written in Delphi. It operates as a hybrid between a macro and program virus.
The virus randomly selects a DLL name in the SYSTEM or in the SYSTEM32 directory and copies itself under that name with an .EXE extension. For instance it selects SHELL.DLL and copies itself as SHELL.EXE into the same directoy. This happens when an infected document is opened since the embedded virus code is executed then. Next Beast modifies the RUN field in the registry to include this EXE for execution. The running copy of the code is terminated then and the new copy is executed. Then the new copy creates a hidden Window. This Windows has the 3BEPb name and can be detected by a utility called "Spy" which is available in MS development kits. The virus also creates a timer which will generate a WM_TIMER message in each second. The window procedure will handle the incoming timer messages and calls the infection module. Also this Window handles other WM messages to stop the timer and the Window when WM_CLOSE/WM_DESTROY is called. (Therefor the virus can be deactivated by sending a WM_CLOSE message to the 3BEPb Window.) The timer is stopped during the infection time and later it is restarted.
This module first updates the registry "SOFTWARE\VB and VBA Program Settings\3BEPb\Startup" with the actual time. If you delete this entry from the registry it will appear again after one second. The infection module checks if an active object is available (opened in Office97) and if it detects one it will drop a codemodule and an embedded package into that document with the name I.EXE and a short autoopen macro. The virus uses OLE functions for this. It sets the icon for that file so it is not accessable from the document, you have to open the file with WordPad to see the I.EXE there. All strings, and the autoopen macro's binary code is encrypted in the data area of the virus. The encryption is based on a shifted XOR key. Each characters of the encrypted areas are decrypted by using XOR with the actual position of the character in the string, starting from 1. When one infection is ready and a CR-ROM device is detected earlier the virus opens and closes the CD-ROMs door randomly. One document can get multiply I.EXE files. The virus seems to fail to recognize itself in documents correctly.
As long as the window procedure of the virus is active, the VBA editor can not be accessed. It can be executed and appears for a second, but then the virus closes the editor from its window procedure.
Beast was found in the wild in February 1999.
[Analysis: Peter Szor, F-Secure, 1999]