Virus: BozaName: Boza
The first virus to spread only under the Microsoft Windows 95 operating system was found in January 1996. This virus is of Australian origin. It has not been reported in the wild anywhere in the world, and can not be seen as a serious threat to Windows 95 users.
This new virus has been named 'Boza'. It infects only Windows Portable Executable EXE files - such files are used by Windows 95 and Windows NT. However, Boza does not infect machines running the Microsoft Windows NT operating system. So far, no viruses written specifically for Windows NT has been found.
Whenever an EXE file infected by Boza is run, it will infect programs in the current directory. One to three EXE files are infected with every execution. After this Boza will execute the code of the original infected file - otherwise the user would notice that something is wrong. Boza does not stay active in memory after execution. For this reason it spreads relatively slow from program to another. The actual infection process is fast enough to go undetected in most machines.
Boza has no destructive routines but it contains a bug, which will in some cases increase an infected .EXE file's size by several megabytes. This can reduce free disk space quickly. The virus also has an activation routine which displays texts like 'The taste of fame just got tastier!' and 'From the old school to the new', but it is unclear whether this screen is ever displayed. Boza also contains internal texts like:
Please note: the name of this virus is [Bizatch] written by Quantum / VLADThese texts are never displayed. VLAD is a virus-writers group originating from Australia.
Boza's spreading technique resembles some of the early DOS viruses. When the first DOS viruses were found in 1980's, they were very simple compared to some of the currently known polymorphic multipartite fast infecting stealth viruses. It can be expected that similar evolution will be happening with Windows viruses.
Boza can be searched for by copying the following two lines to the Command AntiVirus directory in a file called USER.DEF and then using the parameter /USER to search for user-defined search strings:
E Boza 81BD200A440050450F85A60100006681BD6C0A44
Boza would be totally unremarkable virus otherwise, but since it was the first virus which spreads only under Windows 95, it has received a lot of publicity. Boza will probably never be a real problem for Windows 95 users.
Virus analysis courtesy of Data Fellows