Misis is a very small boot sector virus from Russia. It is known to be
in the wild in the west also - confirmed reports have been received
from UK and Norway.
The virus uses stealth routines, so the infected boot sectors will
seem to be clean if they are inspected while the virus is resident in
Practically all boot sector viruses decrease the amount of available
DOS memory from 640 KB and use this 'memory-hole' to store their code
in. They cannot go resident by using the usual DOS calls, because they
activate before DOS is even loaded. This makes most boot sector
viruses easy to spot, since the user can check the amount of total DOS
memory with the MEM or CHKDSK commands.
Misis uses an unusual way to circumvent this symptom: it stores its
code in low system memory, overwriting part of the interrupt vector
table. This makes the system potentially unstable, because any program
that changes the higher interrupt vectors (from 94h to FFh) will
overwrite part of the resident virus code, probably causing the system
One side-effect of this virus is that infected diskettes will work
normally in an infected machine, but will cause read errors if
accessed in a clean computer. This happens because the virus
overwrites the disk parameter block which, on diskettes, is stored in
the beginning of the boot sector. On infected machines this has no
effect, because the virus stealths the changes it has made.
Misis contains several phrases of Russian text. These are not
comprehensible on machines without a Russian screen driver. Translated
to English, the texts read approximately as:
Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov
Soft 236-25-35. "Zharinov" come!.. Database NIKA!
Go away from computer! Work for programmers! Fame to Lozinsky!
Were you warned by the Surgeon General?! Pray all...
Lozinsky is a well-known Russian antivirus expert. The virus contains
an activation routine, which causes some of the above-mentioned texts
to be displayed in the upper left corner of the screen. On western
machines, these messages show up as garbage. The texts are displayed
in yellow blinking colour on brown background. The virus triggers
every 16th time the boot sector is accessed.
The Misis virus was originally known as Zharinov. The name was changed
when it was found out that Zharinov is the name of a professor at the
MISiS, and that the virus was most likely written by one of his
students. Mr. Zharinov himself obviously has nothing to do with this
[Analysis: Mikko Hypponen, F-Secure]