Boza virus

David Kennedy (76702.3557@compuserve.com)
19 Feb 96 03:06:42 EST
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: J.R.Valverde: "[NOISE] Re[2]: FLAME"
Previous message: Rob J. Nauta: "Re: Morris : a consultant ? (was Re: Former Hacker's Intro)"
Next in thread: William C. Mauer: "Re: Boza virus"
I'm going through some old accumulate mail and saw your post to the ids list. 
If you haven't already gotten Boza information, here's a pretty good post from
USENET:

 In alt.comp.virus, bontchev@complex.is (Vesselin Bontchev) wrote:

 glenm@glenm.seanet.com (Glen D Moffitt) writes:

 > This morning on local news programs they are reporting (from the UK)
discovery
 > of a virus out of Bulgaria called the BOZA virus, which purportedly infects
 > only Windows 95 systems, plus some related executable files, and displays a
 > message...anyone heard of this or is this just another "chicken little"
 > story...

 The story is rather funny, folks. Here are some "insider" details.

 First, the main thing in the story is right - the first Win95-specific
 virus (or, more exactly, the first PE-EXE infector) has been found.
 The rest is... well... a news report.

 The virus is written by the Australian virus writing group VLAD. It
 was intended to be published in the next issue of their virus writing
electronic newsletter. However, they were obviously so proud with what
 they have done, that they didn't have the patience to wait for the
 official release of the newsletter and "leaked" the virus to the
 anti-virus people. After all, the "avers" know more than anyone else
 about viruses, so they should be the most able to appreciate the new
"achievement".

 I first heard about this virus from a contact of mine in Germany - but
 didn't get a sample. (And didn't insist one one, BTW. Big deal, a
 PE-EXE infector. When it appears, we'll see it.) A few days ago we
 (CARO) got a sample sent to us by one of our members - Eugene
 Kaspersky; the author of AVP. Another CARO member works for the
 British anti-virus company Sophos. Obviously, Sophos have decided that
 the virus is worth making a noise about it in the media and has
 published a press release - which then has been copied and interpreted
 freely by the major media agencies.

 I, personally, think that the virus is not worth the noise. C'mon,
 folks, it is just a silly non-resident EXE-only infector, which works
 only in 32-bibt environments using the PE-EXE format (like Win95,
 WfW+WinG, or WinNT). FYI, "PE" stands for "Portable Executable". Such programs
are supposed to be able to run in all the three environments mentioned above.
On the top of that, the virus is buggy as hell -
 infected files sometimes become megabytes long. In short, it has
 virtually zero chances to spread and become a threat. On the top of
 that, the media quoted Sophos as "one British company", so they didn't
 get even advertising value from their press release. And it was
 certainly not them who discovered the virus.

 Now, about the virus name. That's the finniest part of the story. The
 virus contains several text strings, among which the phrase "Please
 note: the name of this virus is [Bizatch] written by Quantum of VLAD".
 It seemed that the virus writer who goes under the handle "Quantum"
 *very* much wanted to have "his" virus named "Bizatch". Well, we're
 not in the business of satisfying the virus writers' need for fame, so
 we (CARO) decided to name the virus differently, just inspite. :-)

 But how to name it? Some trivial name was proposed - like V32 (for
 32-bit virus), but that looked too generic to me. Then I had an
 inspiration! The wannabe name of the virus sounded a bit like the
 Bulgarian word "boza". In Bulgarian (and probably in Turkish), this
 word means a drink made of millit (and, as the rumour goes, of candies
 that have spoiled), which is semi-liquid and tends to ferment quickly
 (has to be consumed within 48 hours, or it gets spoiled) and has about
 0.5% alcohol. It is something I call "the undrinkable Bulgarian
 drink", because most foreigners find it of horrible taste and tend to
 throw up after drinking it - while I (and many Bulgarians) find it
 delicious. :-) The drink has a light-brown color, is semi-liquid and
 looks like - yes, you guessed it.

 Furthermore, there is a Bulgarian slang expression "this is a complete
'boza'", meaning that something is totally messed-up/screwed-up (it's
 used only for things; not for situations). This is the expression a
 Bulgarian would use when faced with spagetti code or an incredibly
 buggy program. (Right, Windoze is a complete 'boza' too.) Since the
 virus in question is rather buggy, since there is at least one
 Bulgarian virus writer in Australia (going by the handle "Levski"),
 and since the term has a slightly offensive meaning when applied to a program,
I thought that it would be a perfect name for this particular
 virus. Well, so it stuck. (The 'boza' is a sticky drink too.) :-)

 So, to summarize, yes, the Boza virus really exists, yes, it displays
 a message in a window praising its creators, and no, it is not any
 serious threat. As usual, you can ignore almost everything the media
 says about computer viruses. It's real but it's not the end of the
 world, folks. Just yet another stupid virus out there - one which
 (thank goodness) has no chances to spread.

 Regards, Vesselin
 --
 Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
 Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
 e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
 PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B
 AE 4E
Next message: J.R.Valverde: "[NOISE] Re[2]: FLAME"
Previous message: Rob J. Nauta: "Re: Morris : a consultant ? (was Re: Former Hacker's Intro)"
Next in thread: William C. Mauer: "Re: Boza virus"