W32.Beast.41472


Aliases: W97M.Beast.A, W32.Beast.A, W97M/Beast.41472.A, W97M/Beast.A, W97M.Beast.41472.A 
Variants: Win32.MACRO.Beast.41472, Win95:Beast , Beast.41472.DOC, Macro.Word97.Beast, Virus.MSWord.Beast

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Europe
Removal: Easy
Platform: W32
Discovered: 21 Feb 1999
Damage: Low

Characteristics: The W32.Beast.41472 virus is standalone EXE file that can infect MS Word documents by embedding its code in them. This virus will add a macro for AutoOpen to the document so that the virus embedded will run when the document is accessed.

More details about W32.Beast.41472

This virus will copy its code to the folder C:\ Windows\ System with a random filename in the .Exe extension. The filename normally will be seven to eight characters long. The virus will then alter the registry so that it can execute when Windows starts. It will add the value to a certain registry key. The W32.Beast.41472 virus will stay resident in the memory and then start to infect MS word documents via embedding. It will create the C:\ i.exe as a copy of its code and then utilize the file for embedding in the compromised document. The AutoOpen macro added by the virus will also be responsible for executing the virus. When the virus has been successfully embedded, it will delete the file i.exe.

The infection process of the W32.Beast.41472 accesses functions of the MS Word by utilizing OLE (Object Linking and Embedding) automation. The virus will check for all documents opened in MS Word. In the event that a certain document has a single program module and doesn’t have an embedded OLE object, the virus will then go on to infect it. This malware contains the “3BEPb” encrypted text which is “beast” in some Slavonic languages. The encrypted text is utilized by the malware as a header for the application window of its EXE.