Strangebrew
Strangebrew
Type File virus
Creator Landing Camel
Date Discovered 1998.08.19
Place of Origin Australia
Source Language Java
Platform Java Runtime Environment
File Type(s) .class
Infection Length 3,894 bytes*

Strangebrew is the first Java virus. As it runs on Java, it can run on any computer with the Java Runtime Environment, regardless of the operating system or processor it is running on. While Java applets are common on the internet, Strangebrew cannot infect a computer through the internet, even if it runs an infected Java applet.

Behavior

When a Strangebrew infected file is executed, it searches the current directory for files with a .class extension, which are executables for the Java platform. It checks if the file has a size divisible by 101, indicating the file is likely already infected with Strangebrew, and avoids infecting them. Strangebrew also has some other criteria for determining if the file is suitable for infection. If it finds an uninfected .class file that is unsuitable, it inserts code to make the file size divisible by 101, so it will be passed over the next time the virus is run. When it finds a class file meeting all of its criteria for infection, it writes its code to the main entry point of the file. The virus itself takes up 3,894 bytes, but the actual increase in file size will be rounded up so it is divisible by 101.

The virus is not able to spread over the internet or even locally when using Java applets through a browser, even infected ones. When run as an applet, it displays a warning message and terminates the virus. It must be run as a native Java application.

The virus may not always gain control of the infected application, as this depends on how the application is used. In addition, it contains some bugs which may cause the application to be corrupted.

Origin

Strangebrew was coded by an Australian university student, going by the handle "Landing Camel". He created Strangebrew to show potential security problems with the Java platform. Symantec claimed credit for discovering the virus with its web spider "Seeker", which crawls the web and sends files to Symantec for analysis.

Effects

Strangebrew never made it into the wild. The security features in all popular browsers at the time would prevent the virus from infecting computers through the web browser.

Sources

Mikko Hypponen, Juha Kaki, Jarno Niemela. F-Secure F-Secure Virus Descriptions : StrangeBrew 1998.08-2001.08

Kaspersky Lab, Virus.Java.StrangeBrew. 2000.01.12

Carey Nachenberg, Eric Chien. Symantec, JavaApp.Strange Brew. 2007.02.13

Matthew Nelson. Javaworld, Developer creates the first Java virus and names it 'Strange Brew'. 1998.09.01

Symantec Press Release, Symantec AntiVirus Research Center Finds First Cross-Platform Java Virus. 1998.08.19

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License