Vesselin Bontchev, BOZA Virus? gl...@glenm.seanet.com (Glen D Moffitt) writes: > This morning on local news programs they are reporting (from the UK) discovery > of a virus out of Bulgaria called the BOZA virus, which purportedly infects > only Windows 95 systems, plus some related executable files, and displays a > message...anyone heard of this or is this just another "chicken little" > story... The story is rather funny, folks. Here are some "insider" details. First, the main thing in the story is right - the first Win95-specific virus (or, more exactly, the first PE-EXE infector) has been found. The rest is... well... a news report. The virus is written by the Australian virus writing group VLAD. It was intended to be published in the next issue of their virus writing electronic newsletter. However, they were obviously so proud with what they have done, that they didn't have the patience to wait for the official release of the newsletter and "leaked" the virus to the anti-virus people. After all, the "avers" know more than anyone else about viruses, so they should be the most able to appreciate the new "achievement". I first heard about this virus from a contact of mine in Germany - but didn't get a sample. (And didn't insist one one, BTW. Big deal, a PE-EXE infector. When it appears, we'll see it.) A few days ago we (CARO) got a sample sent to us by one of our members - Eugene Kaspersky; the author of AVP. Another CARO member works for the British anti-virus company Sophos. Obviously, Sophos have decided that the virus is worth making a noise about it in the media and has published a press release - which then has been copied and interpreted freely by the major media agencies. I, personally, think that the virus is not worth the noise. C'mon, folks, it is just a silly non-resident EXE-only infector, which works only in 32-bibt environments using the PE-EXE format (like Win95, WfW+WinG, or WinNT). FYI, "PE" stands for "Portable Executable". Such programs are supposed to be able to run in all the three environments mentioned above. On the top of that, the virus is buggy as hell - infected files sometimes become megabytes long. In short, it has virtually zero chances to spread and become a threat. On the top of that, the media quoted Sophos as "one British company", so they didn't get even advertising value from their press release. And it was certainly not them who discovered the virus. Now, about the virus name. That's the finniest part of the story. The virus contains several text strings, among which the phrase "Please note: the name of this virus is [Bizatch] written by Quantum of VLAD". It seemed that the virus writer who goes under the handle "Quantum" *very* much wanted to have "his" virus named "Bizatch". Well, we're not in the business of satisfying the virus writers' need for fame, so we (CARO) decided to name the virus differently, just inspite. :-) But how to name it? Some trivial name was proposed - like V32 (for 32-bit virus), but that looked too generic to me. Then I had an inspiration! The wannabe name of the virus sounded a bit like the Bulgarian word "boza". In Bulgarian (and probably in Turkish), this word means a drink made of millit (and, as the rumour goes, of candies that have spoiled), which is semi-liquid and tends to ferment quickly (has to be consumed within 48 hours, or it gets spoiled) and has about 0.5% alcohol. It is something I call "the undrinkable Bulgarian drink", because most foreigners find it of horrible taste and tend to throw up after drinking it - while I (and many Bulgarians) find it delicious. :-) The drink has a light-brown color, is semi-liquid and looks like - yes, you guessed it. Furthermore, there is a Bulgarian slang expression "this is a complete 'boza'", meaning that something is totally messed-up/screwed-up (it's used only for things; not for situations). This is the expression a Bulgarian would use when faced with spagetti code or an incredibly buggy program. (Right, Windoze is a complete 'boza' too.) Since the virus in question is rather buggy, since there is at least one Bulgarian virus writer in Australia (going by the handle "Levski"), and since the term has a slightly offensive meaning when applied to a program, I thought that it would be a perfect name for this particular virus. Well, so it stuck. (The 'boza' is a sticky drink too.) :-) So, to summarize, yes, the Boza virus really exists, yes, it displays a message in a window praising its creators, and no, it is not any serious threat. As usual, you can ignore almost everything the media says about computer viruses. It's real but it's not the end of the world, folks. Just yet another stupid virus out there - one which (thank goodness) has no chances to spread. Regards, Vesselin -- Vesselin Vladimirov Bontchev, not speaking for FRISK Software International, Postholf 7180, IS-127, Reykjavik, Iceland producers of F-PROT. e-mail: bontc...@complex.is, tel.: +354-561-7273, fax: +354-561-7274 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44 E5 F7 C3 18 EA 2B AE 4E https://groups.google.com/group/alt.comp.virus/index/browse_frm/month/1996-2?_done=/group/alt.comp.virus/browse_frm/month/1996-2?start%3D250%26sa%3DN%26&start=250&sa=N