W32.Bolzano is a new virus that replicates under Windows 95 and Windows NT infecting Portable Executable applications with EXE or SCR extensions.
Win32.Bolzano does not infect if the size of the host program is less than 16K. Up to now there is 17 different variants of the virus so far as of Sept 16, 1999. Bolzano is currently the biggest W32 virus family.

From the replication point of view, there is nothing much remarkable about the first few versions of Bolzano viruses.
It is a simple, direct action appending type. It adds its code to the end of the last file section and modifies the entry-point of the program to point to the virus body (A, B and C variants).
The D variant does not modify the entry point of PE files; instead, it searches for 12 possible CALL instructions inside the code section of the host and hooks the randomly selected CALLs to the entry point of the virus.
The virus creates a thread in the infected process for itself and replicates in the background while it executes the host program
(main thread). Therefore the user will not easily notice any delays.
Several variants of Bolzano use inserting/polymorphic technique (infection without entry-point modification) and also polymorphic at
the same time. This makes the detection of the virus more complicated.
Several variants of the Bolzano virus do not only replicate, but also attack the Windows NT file security system. It uses a new strategy that may be used by NT viruses in the future. This attack will work on any version of Windows NT (Version 3.50 up to 4.0) with each all the service packs. The attack does not work on any betas of Windows 2000, but it remains feasible.

In order for the virus to attempt the attack, it needs administrative rights on a Windows NT Server or Windows NT Workstation during the initial infiltration. Therefore it is not a major security risk, but still is a potential threat. Viruses can always wait until the Aministrator or someone with the equivalent rights logs on. In such a case, W32.Bolzano has the chance to patch ntoskrnl.exe, the Windows NT kernel, located in the WINNT\SYSTEM32 directory. The virus modifies only 2 bytes in an undocumented security API called SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to give full access to all users to each file regardless of its Protection, whenever the machine is booted with the modified kernel. This means that a Guest -having the lowest possible rights on the system- will be able to read and modify all files including files that are normally accessible only by the Administrator. This is a
potential problem since the virus can spread everywhere it wants to regardless of the actual access restrictions on the particular machine.
Furthermore after the attack, no data can be considered protected from any user. The latest variants of Bolzano also patch MSV1_0.dll in the System32 directory in order to remove password checks from there.

Unfortunately the consistency of ntoskrnl.exe is checked in only one place. The loader, ntldr, is supposed to check it when it loads ntoskrnl.exe into physical memory during machine boot-up. If the kernel gets corrupted ntldr is supposed to stop loading ntoskrnl.exe and display an error message even before a "blue screen" appears. In order to avoid this particular problem W32.Bolzano also patches the ntldr so that no error message will be displayed and Windows NT will boot just fine even if its checksum does not match with the original. Since no code checks the consistency of ntldr itself, the patched kernel will be loaded without notification to the user. Since ntldr is a hidden, system, read-only file W32.Bolzano changes the
attributes of it to "archive" before it tries to patch it. The virus does not change the attribute of the ntldr back to its original value after the patch.
Several variants of W32.Bolzano delete the contents of the \WINDOWS\Cookies and \WINNT\Cookies directories. Probably the virus writer wants to introduce the virus onto a machine he was using to cover where he was web-surfing.