Behavior

Bizatch's message

On the 31st of any month, if the virus is run, it displays a message box, praising VLAD for the virus and listing the members of VLAD for that time.

Bugs

The coders reportedly used a beta version of Windows 95. When the virus was coded, they used hard-coded API addresses which were not compatible with other versions of Windows 95. While hard-coding the API addresses may be easier, it will not always carry over into later systems and different releases (Betas, final releases, language editions).

Bizatch does not work well on the Beta version to begin with and even less with the final release. In fact, it does not work well on most Windows 95 releases. The virus cannot replicate on some foreign language versions of Windows (the Hungarian version, we know of for sure), as it calls an incorrect address. Windows NT-based versions will not even run an infected file, since a section of the .vlad header is not precisely calculated, so NT finds it suspicious and does not execute it.

Sometimes it caused an infected file to become megabytes long. Bizatch might also corrupt an infected file beyond repair. It causes many general protection faults on both the Beta and final release.

Variants

There are less than 10 variants of this virus, mostly attempting to correct bugs in the code. Some of these corrections only introduce more bugs.

Effects

The virus created a bit of a media buzz, as it was the first Windows 95 infecting virus. It was never released into the wild. As with many pioneering viruses, Bizatch was a bit buggy, and would not have been able to spread very far. Bulgarian antivirus researcher Vesselin Bontchev thought that Bizatch did not merit any media attention. Though Sophos did draw some media attention to the virus, they got no advertising out of it, because the press did not specifically name them, instead referring to them as a "British company".

Name and Origin

Initial reports of the virus said it came from Bulgaria, however the Bulgarian VX scene had almost completely disappeared by this time. Bizatch originates in Australia, from Quantum of the virus coding group VLAD, a group that was prolific in the 1990's that was also responsible for viruses like Nuclear, Staog and Krad. It was to be published in their next issue, but could not wait for the release, so it was leaked to antivirus companies.

The creator originally intended to name his creation "Bizatch", a politer colloquialism for "bitch". However, antivirus researcher Vesselin Bontchev wanted to name it something different, so as (in his thinking) to not satisfy the creator's need for fame. V32, for 32-bit virus was considered, but Bontchev thought this was too generic-sounding, so he settled on "Boza".

Boza is a fermented drink with 0.5% alcohol popular in Bulgaria, which is made of millit. It is semi-liquid, ferments quickly (in fact it goes bad after two days) and looks like diarrhea. Few people outside of Eastern Europe and Turkey can stomach it. In addition, there is a Bulgarian expression that goes something like "this is a complete boza", which means something is completely screwed up, or with regard to programmers, when a program is buggy or made of spaghetti code. Bontchev knew the coder would get the message, as there was a Bulgarian virus coder in Australia going by the name Levski. Boza is the name used by most antivirus programs.

Other Facts

Quantum was very angry about his virus being named Boza. Later viruses attacked antivirus software and changed the detection from "Boza" to "Bizatch".

Sources

Mikko Hypponen. F-Secure Antivirus, F-Secure Virus Descriptions : Boza.A.

Peter Szor. The Art of Computer Virus Research and Defense, pp. 61, 171-173, 182. Addison Wesley, Symantec Press, 2005.

Vesselin Bontchev. Alt.comp.virus Log 5, Re: BOZA Virus?. 1996.02.05

VLAD Magazine, Bizatch News.

The Urban Dictionary, bizatch.