The first virus to spread only under the Microsoft Windows 95 operating system was found in January 1996. This virus is of Australian origin. It has not been reported in the wild anywhere in the world, and can not be seen as a serious threat to Windows 95 users.
This new virus has been named 'Boza'. It infects only Windows Portable Executable EXE files - such files are used by Windows 95 and Windows NT. However, Boza does not infect machines running the Microsoft Windows NT operating system. So far, no viruses written specifically for Windows NT has been found.
Whenever an EXE file infected by Boza is run, it will infect programs in the current directory. One to three EXE files are infected with every execution. After this Boza will execute the code of the original infected file - otherwise the user would notice that something is wrong. Boza does not stay active in memory after execution. For this reason it spreads relatively slow from program to another. The actual infection process is fast enough to go undetected in most machines.
Boza has no destructive routines but it contains a bug, which will in some cases grow an infected EXE file's size by several megabytes. This can reduce free disk space quickly. The virus also has an activation routine which displays texts like 'The taste of fame just got tastier!' and 'From the old school to the new'. This screen is shown if the virus is run on the 31st of any month.
Boza also contains internal texts like:
Please note: the name of this virus is [Bizatch] written by Quantum / VLAD
These texts are never displayed. VLAD is a virus-writers group originating from Australia.
Boza's spreading technique resembles some of the early DOS viruses. When the first DOS viruses were found in 1980's, they were very simple compared to some of the currently known polymorphic multipartite fast infecting stealth viruses. It can be expected that similar evolution will be happening with Windows viruses.
Boza would be totally unremarkable virus otherwise, but since it was the first virus which spreads only under Windows 95, it has received a lot of publicity. Boza will probably never be a real problem for Windows 95 users.
These are minor variants, apparently they try to fix some bugs, but the results seem to be that they are even buggier than the original version.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Description Created: Mikko Hypponen, F-Secure