Classification

Category :

Malware

Type :

Virus

Aliases :

Boza.A, Bizatch, V32

Summary

The first virus to spread only under the Microsoft Windows 95 operating system was found in January 1996. This virus is of Australian origin. It has not been reported in the wild anywhere in the world, and can not be seen as a serious threat to Windows 95 users.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This new virus has been named 'Boza'. It infects only Windows Portable Executable EXE files - such files are used by Windows 95 and Windows NT. However, Boza does not infect machines running the Microsoft Windows NT operating system. So far, no viruses written specifically for Windows NT has been found.

Whenever an EXE file infected by Boza is run, it will infect programs in the current directory. One to three EXE files are infected with every execution. After this Boza will execute the code of the original infected file - otherwise the user would notice that something is wrong. Boza does not stay active in memory after execution. For this reason it spreads relatively slow from program to another. The actual infection process is fast enough to go undetected in most machines.

Boza has no destructive routines but it contains a bug, which will in some cases grow an infected EXE file's size by several megabytes. This can reduce free disk space quickly. The virus also has an activation routine which displays texts like 'The taste of fame just got tastier!' and 'From the old school to the new'. This screen is shown if the virus is run on the 31st of any month.

Boza also contains internal texts like:

 Please note: the name of this virus is [Bizatch]written by Quantum / VLAD

These texts are never displayed. VLAD is a virus-writers group originating from Australia.

Boza's spreading technique resembles some of the early DOS viruses. When the first DOS viruses were found in 1980's, they were very simple compared to some of the currently known polymorphic multipartite fast infecting stealth viruses. It can be expected that similar evolution will be happening with Windows viruses.

Boza would be totally unremarkable virus otherwise, but since it was the first virus which spreads only under Windows 95, it has received a lot of publicity. Boza will probably never be a real problem for Windows 95 users.

Variant:Boza.B, Boza.C

These are minor variants, apparently they try to fix some bugs, but the results seem to be that they are even buggier than the original version.