Details
Win32.Bora

This is a non-memory resident Win32 virus written in Borland C++. It replicates under Windows32 systems and infects PE EXE files (Windows executable). The virus also infects mIRC client to spread its copy to IRC channels.
When an infected file is started, the virus takes control, looks for EXE files and infects them. While infecting, the virus moves the file body down, and writes its code to the beginning of the file. The temporary TEMPLE.$_$ file is used while infection.
The virus infects up to three files in the current directory upon each start, then looks for \WINDOWS\RUNDLL32.EXE and \WINNT\RUNDLL32.EXE files on all available drives, and infects them too.
The virus also looks for the presence of mIRC subdirectories:
C:\MIRC
C:\MIRC32
C:\PROGRA~1\MIRC
C:\PROGRA~1\MIRC32
In case any of them exist, the virus creates an infected C:\WINDOWS\WINTEST.EXE file and overwrites the SCRIPT.INI file in the mIRC directory with a set of commands that send the virus copy (the C:\WINDOWS\WINTEST.EXE file) to everybody who sends a file to the IRC channel, or is sent by a file.
On April 15th, the virus displays the following message:
Virus -=Temple=- Build 002
Copyright (c) by Wit AKA CyberViper 1999.

Details
Win32.Bolzano family

(This text was written with the help of Peter Szor)
These are benign non-memory resident parasitic Win32 viruses. They search for PE EXE files (Windows executable files) in a directory tree and write themselves to the end of the file by increasing the size of last file section. Some virus versions have bugs and often corrupt files while infecting them.
Bolzano.4096.a,b,c,d,e,f
The “true” length of viruses in this sub-family (the length of code and data) is about 2Kb, but while infecting files, they increase file length by 4096 bytes (1000h hexadecimal).
These virus versions search for files on the current drive only.
Starting from the “b” version, The “Bolzano” viruses open the \NTLDR\WINNT\SYSTEM32\NTOSKRNL.EXE files (WinNT system files), scan their code and patch routines that are responsible for WinNT access permission and self-checking.
The virus patch in NTLDR disables CRC-checking when NT loads the NTOSKRNL.EXE file, that is protected by checksum. The NTOSKRNL routines are patches so that they always allow any user all access to the system, not depending on a user’s access privileges. This allows the virus to infect any EXE file on the NT system, not depending on a current user’s written-access permission for these files.
Starting from the “b” version, The “Bolzano” viruses also delete all files in the Windows Internet directory:
\WINDOWS\Cookies\*.*
\WINNT\Cookies\*.*

Bolzano.2664,2676,2716
In addition to what is described above, these viruses search and infect files on all available drives in the system. They use the “Entry Point Obscuring” (EPO) methods and while infecting, they do not modify a program’s entry address. To receive control, they randomly scan selected offsets of the file CODE section, look for CALL commands and replace them with “CALL VirusEntry” code. As a result, the virus gains control only in the case where the patched file code receives control.
The number of patched CALLs depends on the virus version and varies from 5-10 (in these variants), up to 64 (in next virus versions).
Bolzano.3100,3120,3164,3192
In addition to the above, these viruses encrypt themselves and use a polymorphic code in the decryption loop.
Bolzano.3628,3904
In addition to the above, these viruses patch two more routines in the Windows NT system files. The new NTOSKRNL patch allows any application to write to any file independent of access permission. The second patched file is MSV1_0.DLL, the virus patches a routine there that is responsible for password validation. As a result of this patch, any text string is accepted as a valid password in an affected system.
Bolzano.5396
In addition to the above, this virus has a more complex polymorphic engine; checks file names while infecting them and does not infect: _AVP*, ALER*, AMON*, AVP3*, AVPM*, N32S*, NAVA*, NAVL*, NAVR*, NAVW*, NOD3*, NPSS*, NSCH*, NSPL*, SCAN*, SMSS*
This virus also affects the mIRC client. To do that, it creates an infected dropper with a random name in the MIRC directory and overwrites the SCRIPT.INI file in there. The new SCRIPT.INI contains a small routine that sends an infected dropper to users joining an infected channel.

Details
Win32.Bogus.4096

It is a silly nonmemory resident prepending Win32 virus. It gets the first .EXE file in the current directory, moves 4Kb of file header to the end of the file and overwrites file header with its own code. If the first file in directory is already infected, the virus does not infect more files. To run the host file the virus disinfects it to the temporary file with the “ZerNeboGus.exe” name. The virus does not pay attention to internal file structure, and infects DOS EXE files as well as Win32 PE EXE.
The virus contains the text strings:
Dedicated to all those who, yet, don’t understand the PE format.
Win32.ZerNeboGus (c) 1999 by the Changeling

Details
Win32.Blueballs.4117

This is a benign non-memory resident parasitic virus. It searches for Win32 EXE files in subdirectories of the current and then on the C: drive, then writes itself to the end of the file.
On January 1st, February 14th, April 1st, May 4th, October 1st, and December 25th, the virus executes itself with a video effect: it paints blue balls at the top left corner of the desktop.

Details
Win32.Bika

It is a harmless per-process memory resident parasitic Win32 virus. It infects Win32 applications only. While infecting the virus writes itself to the end of the file.
When infected file starts the virus hooks “set current directory” Win32 API functions (SetCurrentDirectoryA, SetCurrentDirectoryW) that are imported by host program, stays as “background” thread of infected process, and then infects files in directories when current directory is being changed.
The virus does not manifest itself in any way. It contains the “copyright” text strings:
Win32.Ikarus by Black Jack
written in Austria in the year 2001

Details
Win32.Benny.3219.a

This is a direct action (non-memory resident) parasitic Win32 virus. It searches for PE EXE files in the Windows, Windows system and current directories, then writes itself to the end of the file. The virus has bugs and in many cases corrupts files while infecting them. The virus checks file names and does not infect the files: RUNDLL32.EXE, TD32.EXE, TLINK32.EXE, TASM32.EXE.
While infecting, the virus increases the size of last file section, writes itself to there and modifies the necessary PE header fields including the program start-up address.
The virus contains the “copyright” string:
Win32.Benny (c) 1999 by Benny

Details
Win32.Beef

It is a harmless memory resident parasitic Win32 virus. It stays in Windows memory and infects PE EXE files (Win32 executable files) that are being opened. While infecting the virus writes itself to the end of the file.
When the virus is run for the first time, it infects the EXPLORER.EXE file in Windows directory. Because EXPLORER.EXE file is active and locked by Windows for writing, the virus uses a standard trick to avoid that. It copies EXPLORER.EXE to BEEFREE.SYS file and infects it. Then the virus creates the WININIT.INI file with “rename” command in there that will replace original EXPLORER.EXE with its infected copy one next Windows restart.
When Windows is run with infected EXPLORER.EXE, the virus gets access to KERNEL32.DLL image in the system memory and patches two its exported API functions: LoadLibraryA and CreateFileA. Then when a PE EXE file is being opened, the virus infects it.

Details
Win32.Bee

This is a primitive companion Windows virus. While infecting it searches for .EXE files in the current directory, renames .EXE file with 3X3 extension and writes its code with the original name of infected file. The virus also copies its file to the Windows directory with the “C:\Windows\FastCache.exe” name.
The virus is able to spread via mIRC channel. To do that is overwrites the SCRIPT.INI file in the mIRC client directory and writes to there several instructions that send the infected EXE file to the channel.
The virus is the Windows32 PE executable program, but it is able to infect EXE files of any format (DOS, OS/2, Win16/32) - the virus pays no attention for that, and to return control to the host file just executes it by WinExec system function. The virus has bugs and in some cases it copies files with wrong names.
If the virus is not able to locate the host “3X3″ file to pass control to the original host program, it displays the message and exits to Windows:
Invalid call in shared memory 0×0cf689000.

On May 9th the virus creates the C:\LOGO.SYS file, writes an BMP image to there and displays the message:
Win32.3×3Eyes coded by Bumblebee[UC]
This is my 1st contribution to Ultimate Chaos team.
Gteetingz UC brothers!

Details
Win32.Barum.1536

It is a possible dangerous nonmemory resident parasitic Win32 virus. It searches for PE EXE files in the current and Windows directories and infects them. While infecting the virus writes itself to the end of the file.
On March 6 from 0:00am till 1.00am GMT (Coordinated Universal Time - UTC, not local time) the virus attempts to delete all *.EXE files in Windows directory, but fails because of a bug.
The virus contains the text string:
[ Bajan Rum ]
Tekken’ time ent no lazinessall

Details
Win32.AutoWorm.3072

This is a primitive worm virus about 3Kb of size. It spreads under Win32. When it starts, it copies itself with the “AutoWorm.exe” name to root directories on all available drives (including floppy drives), and creates there the files “Autorun.inf” with one command in file:
[autorun]
OPEN=AutoWorm.exe

The “AutoRun.inf” file is automatically processed by Windows when the CD-ROM is accessed, so the virus is not activated when the infected floppy disk or local hard drive is accessed.

Details
Win32.Atav.1939

This is a dangerous, non-memory resident encrypted parasitic Win32 virus. It searches for PE EXE files in the current directory, then writes itself to the end of the file. The infection procedure is buggy and destroys the PE-file structure, and most of infected files become corrupted.
The virus contains the following “copyright” and other text strings:
Win9x.ATAV (c)oded by Radix16[MIONS]

AVG?????.DAT
AVP.CRC
ANTI-VIR.DAT
CHKLIST.MS
AVP Monitor
AVG Control Center
It seems the virus author intended to delete anti-virus files and kill anti-virus processes, but such routines are not executed.

Details
Win32.Asorl

This is a relatively harmless, non-resident parasitic Win32 virus.
The virus searches for Win32 EXE applications (PE EXE files) in the current directory and Windows directory.
The virus infects up to 5 files in the directory.
While infecting, the virus writes itself to the end of the file.
If the current date is July 28, the virus displays the following message box:
__________________________________________________
lWin32/AstroGirl AstroCoded by a Wazex l
l________________________________________________l
lYour system is infected by Win32/AstroGirl v1.0 l
lDedicated to Anita and our peng-guin l
l SmuakssSsssss!!!! l
l________________________________________________l

Details
Win32.Aris
This is a polymorphic encrypted Win32 virus. It finds and infects several files with extensions “EXE”, “DLL” and “SCR” in current, %WINDOWS% and %SYSTEM% folders. Depending on system date, the virus also closes windows with titles: “Program Manager” and “AVP Monitor”.

Details
Win32.Apparition

This is “memory resident” Windows32 (Windows95/NT) parasitic infector. It looks as the “Win.Apparition” Windows virus that was rewritten for Windows32 - it is of the same structure (code, compressed data and so on), it uses similar algorithm of installation, infection and mutation and so on. The differences are: this virus is written in C (Windows virus was written in Pascal), it has no visible window, it has other text strings and displays other MessageBoxes.
In similar way as Windows version, this virus corrupts files while infecting them - it looks for C/Pascal subroutines header and overwrites them with FFh,FFh,xxh bytes (xxh - random byte). When this code receives control, the system generates exception. The virus intercepts it and fixes the problem. As a result, A) infected files do work under infected system, but do not after disinfection; B) this is impossible to guarantee 100% disinfection ever after fixing these patched blocks. As a result, the infected files have to be erased.

Details
Win32.Apathy.5378

It is a harmless parasitic Windows virus. It replicates under Windows9x/NT and infects PE executable files. While infecting the virus moves the top of the file to its end and writes itself to the file top. It also corrects necessary fields in Resource table. To release control to the host program the virus creates its copy, disinfect and runs it.
The virus is “semi-resident”: it does not hook any system events, but stays in the Windows memory, searches for .EXE files and infects them. Before infecting next file the virus “sleeps” for about 10 seconds. As a result the virus is of “direct infector” class, but it may stay in the memory for long time, depending on number of EXE files on the drive.
The virus contains the text strings:
Win32.Apathy by -b0z0/iKX-
i am nobody except genetic runaround