CYBEC's initial answer to the first Win95 virus
-----------------------------------------------

BOZA is the first virus discovered which attacks Windows 95 programs. 
We are pleased to say that we have an answer - KILLBOZA.

Technical Detail
----------------
The BOZA virus attacks the PE (Portable Executeable) file format, 
which is used for programs under Windows 95 and Windows NT. This is 
the first virus seen which attacks the PE file format. Almost all 
viruses attack the DOS executeable file formats, known as .COM, and 
DOS .EXE.

BOZA attaches itself to the end of the program, and diverts the 
program's entry point into its viral code. When an infected program 
is run the virus attempts to infect up to three other programs in the 
same directory, then passes control to its host program.

The KILLBOZA answer
-------------------
The program KILLBOZA will verify if a file is infected with the BOZA 
virus. If the file is infected, KILLBOZA will remove the virus and 
restore the program. On all of the samples we have tested KILLBOZA 
has restored the program completely. Although we have reports of BOZA 
incorrectly infecting some programs, KILLBOZA seems to remove the 
incorrect infections as well as the "correct" ones.

There is no danger in running KILLBOZA against an uninfected file. 
KILLBOZA will simply report that file as being uninfected - it will 
take no action.

Running KILLBOZA (NOTE: it is best to shut down '95 and start in DOS
                        mode as some files to be checked may be in use.)
----------------
To run KILLBOZA on a single program, for example, WRITE.EXE, you 
type:  (NOTE: the KILLBOZA.EXE file must be in the path or the 
       current directory)

KILLBOZA WRITE.EXE

and press Enter. KILLBOZA will inspect the file and report whether 
the file is infected. If it is infected, KILLBOZA will attempt to 
clean it, and will report if the cleaning wass successful.

Cleaning an entire directory
----------------------------
If you wish to run KILLBOZA against all the files in a directory you 
can, while in that directory, type:

KILLBOZA *.exe

and press Enter. This will check all of the .EXE files in the current 
directory.

Checking an entire drive
------------------------
If you wish to check an entire hard drive you can type:

KILLBOZA /s c:\*.exe

and press Enter. The /s option instructs KILLBOZA to scan 
subdirectories.

--------------------------------------------------------------------

Here at CYBEC we are dedicated to producing quick responses to all 
new viruses. We are incorporating defence against BOZA into VET, but 
KILLBOZA will keep you running in the meantime.
