Beef is a harmless memory resident parasitic Win32 virus. It stays in Windows memory and infects PE EXE files (Win32 executable files) that are being opened. While infecting the virus writes itself to the end of the file.
When the virus is run for the first time, it infects the EXPLORER.EXE file in Windows directory. Because EXPLORER.EXE file is active and locked by Windows for writing, the virus uses a standard trick to avoid that. It copies EXPLORER.EXE to BEEFREE.SYS file and infects it. Then the virus creates the WININIT.INI file with "rename" command in there that will replace original EXPLORER.EXE with its infected copy one next Windows restart.
When Windows is run with infected EXPLORER.EXE, the virus gets access to KERNEL32.DLL image in the system memory and patches two its exported API functions: LoadLibraryA and CreateFileA. Then when a PE EXE file is being opened, the virus infects it.
No videos available.