1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Misis

Misis

ALIAS:Zharinov
TYPE:Boot sectors MBR Stealth
ORIGIN:Russia

Summary

Misis is a very small boot sector virus from Russia. It is known to be in the wild in the west also - confirmed reports have been received from UK and Norway.

The virus uses stealth routines, so the infected boot sectors will seem to be clean if they are inspected while the virus is resident in memory.

Additional Details

Practically all boot sector viruses decrease the amount of available DOS memory from 640 KB and use this 'memory-hole' to store their code in. They cannot go resident by using the usual DOS calls, because they activate before DOS is even loaded. This makes most boot sector viruses easy to spot, since the user can check the amount of total DOS memory with the MEM or CHKDSK commands.

Misis uses an unusual way to circumvent this symptom: it stores its code in low system memory, overwriting part of the interrupt vector table. This makes the system potentially unstable, because any program that changes the higher interrupt vectors (from 94h to FFh) will overwrite part of the resident virus code, probably causing the system to crash.

One side-effect of this virus is that infected diskettes will work normally in an infected machine, but will cause read errors if accessed in a clean computer. This happens because the virus overwrites the disk parameter block which, on diskettes, is stored in the beginning of the boot sector. On infected machines this has no effect, because the virus stealths the changes it has made.

Misis contains several phrases of Russian text. These are not comprehensible on machines without a Russian screen driver. Translated to English, the texts read approximately as:

Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov Soft 236-25-35. "Zharinov" come!.. Database NIKA!
Go away from computer! Work for programmers! Fame to Lozinsky! Were you warned by the Surgeon General?! Pray all...
Lozinsky is a well-known Russian antivirus expert. The virus contains an activation routine, which causes some of the above-mentioned texts to be displayed in the upper left corner of the screen. On western machines, these messages show up as garbage. The texts are displayed in yellow blinking colour on brown background. The virus triggers every 16th time the boot sector is accessed.

The Misis virus was originally known as Zharinov. The name was changed when it was found out that Zharinov is the name of a professor at the MISiS, and that the virus was most likely written by one of his students. Mr. Zharinov himself obviously has nothing to do with this virus.

[Analysis: Mikko Hypponen, F-Secure]