|Place of Origin||Australia|
|Platform||Java Runtime Environment|
|File Type(s)||.cab, .jar, .class*|
|Infection Length||7,890 (.cab), 10,204 (.jar)|
When the user visits a site using Java with infected applets, the infected .jar or .cab file is downloaded to the user's machine. The virus's main component, BeanHiveFrame.class is then run within the Java virtual machine. It requests permission to obtain access to the local system and will stop working if the user decides not to allow this action.
After obtaining permission to access the system, the virus displays a dialog box asking the user which file they would like to have infected. Beanhive then uses four modules for actually infecting the file, e89a763c.class, c8f67b45.class, dc98e742.class and be93a29f.class. The e89a763c.class file performs the main infection routine, and calls on the others after determining whether the file is appropriate to infect. These files are added to the .jar or .cab archive.
When the newly infected file is run, these files look for the file BeanHive.class, which Landing Camel named "The Queen Bean". This file is the final component needed for the virus, and it contains the code necessary for the infection of other Java files. If it does not find this file on the system, it will try to download it from the Internet. The Queen Bean is run as soon as it is downloaded. It uses finds up to three Java files and infects them, employing the original four modules used to infect the file before the Queen Bean infected it.
The Beanhive virus never made it into the wild, however unlike its predecessor Strangebrew, this one had better chances to become wild. Even with that, researchers found it difficult to get the virus to work on any test systems. Some of the bugs may have been deliberate, since the creator was only interested in a demonstration virus. It is also difficult if not impossible to get it to work on popular versions of the most popular browsers.
Name and Origin
Strangebrew was coded by Landing Camel of the group Codebreakers. Landing Camel was also responsible for the first Java virus, Strangebrew. At the time, he was a student at an Australian university. It was included in the final release of the Codebreakers magazine.
Beanhive takes its name from the fact that the word Java is a colloquialism for coffee, which comes from bean. The hive part likely comes from the fact that it uses several files in a packed .cab or .jar file. Landing Camel even gave names to the files aside from their actual file names. BeanHive.class is referred to in his writings as "The Queen Bean" and the others are "The Worker Beans". This reference is to the Ren and Stimpy Show segment "Ask Dr. Stupid", in which a viewer writes in, "What is that ugly white slab in my can of beans?". Stimpy as Dr. Stupid answers that it is the Queen Bean and the others are the worker beans that serve her.
Carey Nachenberg. Symantec, Java.BeanHive. 2007.02.13
Kaspersky Lab. Securelist.com, Virus.Java.BeanHive. 2000.01.12
Landing Camel. Codebreakers Issue 5, Beanhive. 1999.06 (requires login to download anything at the moment)