W32.Bolzano


Aliases: New Worm [McAfee], W32/Bolzano.5396.A [Panda], Win32.Bolzano.5396.a [Kaspersky],Win32.Bolzano.P [Computer Associates],Win32/Bolzano.P [Computer Associates]
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: active & spreading
Spreading: slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 11 Aug 1999
Damage: Low

Characteristics: The W32.Bolzano program is considered as a new virus that affects certain Window Operating System such as Windows 95 and Windows NT. This virus targets Portable Executable applications with EXE or SCR extensions. Its maximum infection capacity is only around 16k.

More details about W32.Bolzano

The W32.Bolzano virus is simple enough that it only patches or appends itself to files or folders. It edits the entry-point of the program to the virus body and adds its code to the end of the last file extension. It continually replicates itself at the background while consequently executing the host program as well. The user will not mostly recognize the virus that easy. It also uses polymorphic techniques through which it doesn’t modify any files or registry keys, making detection is very complicated. It also attacks Windows NT file system. However, if you have higher version of Windows NT like version 3.50 to 4.0 with service packs, you don’t have to worry about this virus’s attack. In windows 2000 betas Operating System, there have been no reports as well but it is feasible. The virus waits for administrative rights before it can completely be executed in the system. It patches itself to WINNT\SYSTEM32 directory as part of ntoskrnl.exe. If the virus successfully attacks, no data can be considered protected.

With its latest version, it can also remove password checks from the system directory. If this .exe file is loaded, it usually ends up in displaying an error message even before a "blue screen" appears. The virus on the other hand doesn’t change any attributes of ntldr to its original value after patch. It also deletes the contents of the \WINDOWS\Cookies and \WINNT\Cookies directories. It is said that the writer of this program may have intended to initiate the virus onto different machine to envelop he was Web-surfing.