Threat description



Misis is a very small boot sector virus from Russia. It is known to be in the wild in the west also - confirmed reports have been received from UK and Norway.

The virus uses stealth routines, so the infected boot sectors will seem to be clean if they are inspected while the virus is resident in memory.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Practically all boot sector viruses decrease the amount of available DOS memory from 640 KB and use this 'memory-hole' to store their code in. They cannot go resident by using the usual DOS calls, because they activate before DOS is even loaded. This makes most boot sector viruses easy to spot, since the user can check the amount of total DOS memory with the MEM or CHKDSK commands.

Misis uses an unusual way to circumvent this symptom: it stores its code in low system memory, overwriting part of the interrupt vector table. This makes the system potentially unstable, because any program that changes the higher interrupt vectors (from 94h to FFh) will overwrite part of the resident virus code, probably causing the system to crash.

One side-effect of this virus is that infected diskettes will work normally in an infected machine, but will cause read errors if accessed in a clean computer. This happens because the virus overwrites the disk parameter block which, on diskettes, is stored in the beginning of the boot sector. On infected machines this has no effect, because the virus stealths the changes it has made.

Misis contains several phrases of Russian text. These are not comprehensible on machines without a Russian screen driver. Translated to English, the texts read approximately as:

Moscow Institute of Steel and Alloys (MISiS). May 1992. Zharinov

 Soft 236-25-35. "Zharinov" come!.. Database NIKA!

 Go away from computer! Work for programmers! Fame to Lozinsky!

 Were you warned by the Surgeon General?! Pray all... 		 		

Lozinsky is a well-known Russian antivirus expert. The virus contains an activation routine, which causes some of the above-mentioned texts to be displayed in the upper left corner of the screen. On western machines, these messages show up as garbage. The texts are displayed in yellow blinking colour on brown background. The virus triggers every 16th time the boot sector is accessed.

The Misis virus was originally known as Zharinov. The name was changed when it was found out that Zharinov is the name of a professor at the MISiS, and that the virus was most likely written by one of his students. Mr. Zharinov himself obviously has nothing to do with this virus.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info