Classification

Category :

Malware

Type :

-

Aliases :

Misis, Zharinov

Summary

Misis is a very small boot sector virus from Russia. It is known to be in the wild in the west also - confirmed reports have been received from UK and Norway.

The virus uses stealth routines, so the infected boot sectors will seem to be clean if they are inspected while the virus is resident in memory.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Practically all boot sector viruses decrease the amount of available DOS memory from 640 KB and use this 'memory-hole' to store their code in. They cannot go resident by using the usual DOS calls, because they activate before DOS is even loaded. This makes most boot sector viruses easy to spot, since the user can check the amount of total DOS memory with the MEM or CHKDSK commands.

Misis uses an unusual way to circumvent this symptom: it stores its code in low system memory, overwriting part of the interrupt vector table. This makes the system potentially unstable, because any program that changes the higher interrupt vectors (from 94h to FFh) will overwrite part of the resident virus code, probably causing the system to crash.

One side-effect of this virus is that infected diskettes will work normally in an infected machine, but will cause read errors if accessed in a clean computer. This happens because the virus overwrites the disk parameter block which, on diskettes, is stored in the beginning of the boot sector. On infected machines this has no effect, because the virus stealths the changes it has made.

Misis contains several phrases of Russian text. These are not comprehensible on machines without a Russian screen driver. Translated to English, the texts read approximately as:

Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov
 Soft 236-25-35. "Zharinov" come!.. Database NIKA!
 Go away from computer! Work for programmers! Fame to Lozinsky!
 Were you warned by the Surgeon General?! Pray all... 		 		

Lozinsky is a well-known Russian antivirus expert. The virus contains an activation routine, which causes some of the above-mentioned texts to be displayed in the upper left corner of the screen. On western machines, these messages show up as garbage. The texts are displayed in yellow blinking colour on brown background. The virus triggers every 16th time the boot sector is accessed.

The Misis virus was originally known as Zharinov. The name was changed when it was found out that Zharinov is the name of a professor at the MISiS, and that the virus was most likely written by one of his students. Mr. Zharinov himself obviously has nothing to do with this virus.