|Place of Origin||France?|
|Infection Length||4,096 bytes|
Bolzano is a virus that patches the Windows NT Kernel to help itself spread. It allows all users full access to all files on the system.
When a file infected with Bolzano is executed, it checks the date and time stamp of the file to see if the file is already infected. This check however is unreliable, so some files may be infected twice or more. It appends itself to the file and modifies the entry point to point to the virus. It is not memory resident. The original Bolzano was not particularly interesting, but its later variants were fascinating and potentially dangerous.
While the first few variants of Bolzano were relatively uninteresting for their time, later variants were much more sophisticated. Variant D hooks randomly selected CALL instructions to trigger the virus when an infected program is executed, rather than modifying the entry point. It is also very buggy.
The Bolzano.B, C and D attack the Windows NT security system. It requires Administrator privileges to do this. When it is run with Administrator privileges, it modifies two bytes of an undocumented security API called SeAccessCheck in the file NTOSKRNL.EXE in the system folder (this is the Windows NT Kernel). The next time the computer is booted with this modified Kernel, all users (including "Guest") will have full read/write privileges to all files on the system.
There was little actual damage from this virus. It was known to be wild on all continents except Africa and Antarctica. France reported the first in-the-wild infection. Its Windows NT Kernel patching techniques would be used in the Funlove virus.
Bolzano is thought to have originated in France, as that was the country that had the first reported infection. Bolzano is also the name of a city and region in northern Italy. It may be in some way related to Remex.
Peter Szor. Symantec, Virus Bulletin, Bolzano Bugs NT. (PDF) 1999.09
-. -, W32.Bolzano. 2007.02.13