BRAIN virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  BRAIN and variants including CHAOS.


  BRAIN was first reported in 1987 but a copyright notice (sic)

  suggests that it was published in 1986.  Despite the copyright

  notice and, consistent with normal software practice, other hands

  have since tinkered with the code and several versions with fairly

  minor modifications, mainly in the embedded text, have been

  reported.


  In its original form, it only infected 5.25" - 360 KB diskettes.

  CHAOS is a variant that infects Hard Disks.


  DAMAGE is minimal in its original version:


       a) it overwrites the original Boot Sector on the diskette (the

       first 512 bytes) and places some of its own code in this

       location from where it can intercept all calls to boot.  It

       also leaves room on the diskette for the system files.


       b) it creates 3 bad clusters (6 sectors = 3 KB) in the File

       Allocation Table (FAT). It uses the first sector of these Bad

       Clusters to store the code that it has displaced from the Boot

       Sector and the other five sectors to store the remainder of its

       own code. Its total length is around 2.25 KB but it requires

       0.5 KB of work area. When loaded into memory it occupies 7 KB.


       c) With the original version, a Volume Label (c) BRAIN is

       attached to diskettes and any existing label will be

       overwritten. Another version attaches the label (c) Ashar.  The

       label only appears when more than two files are placed in the

       directory.


       d) Unconfirmed reports advise that there is a version which

       scrambles the FAT.


  BRAIN hides from Disk Sector Editors (eg Norton) by redirecting them

  to the original Boot Sector that has been relocated into a Bad

  Cluster.


        With the original version a text message is included but not

        displayed:


                '      Welcome to the Dungeon                    '

                '                 (c) 1986 Basit & Amjad (pvt) Lt'

                'd.               BRAIN COMPUTER SERVICES..730 NI'

                'ZAM BLOCK ALLAMA IQBAL TOWN                LAHOR'

                'E-PAKISTAN..PHONE :430791,443248,280530.        '

                '  Beware of this VIRUS.....Contact us for vaccin'

                'ation............... $#@%$@!! '


        ---------------------- more -----------------------


  Version 2: (aka Ashar)


   This virus consists of a boot sector and three clusters (6 sectors)

   marked as bad in the FAT.  The first of these sectors contains the

   original boot sector, and the rest contain the rest of the virus.

   It only infects 360K floppies.  It creates a label on an infected

   disk of ' (c) ashar '.  Unlike the first version, this one does not

   leave room for the system files.


             ------------------- more -----------------


=== Computer Virus Catalog 1.2: SHOE-B v9.0 (July 10, 1989) ==========


Entry.................. SHOE-B v9.0

Alias(es).............. ---

Strain................. Brain/Pakistani

Detected: when......... November 1988

          where........ Houston University

Classification......... System (Boot sector) virus

Length of Virus........ approx. 3k (not all is actually used)

---------------------- Preconditions----------------------------------


Operating System(s).... MS-DOS

Version/Release........ Should work with all versions

Computer models........ IBM-PC's and compatibles

------------------------ Attributes-----------------------------------


Easy identification.... The volume label of the infected disk will

                        read: "(c) Brain"


Type of infection...... The virus installs itself in high memory after

                        booting with an infected disk. It captures all

                        read and  write calls to the disk, checks for

                        infection and, if not yet present, infects the

                        disk. Infection occurs by flagging five blocks

                        as bad, copying itself and the original boot

                        sector into those five blocks, and replacing

                        the boot sector with its own.  The virus

                        identifies itself by checking the boot sector

                        for the word 1234h at position 0004h in the

                        boot sector.


Infection trigger...... Counter: will attempt to infect initially

                        after 31 read/write calls, subsequently after

                        every fourth call.


Media affected......... Only floppy disks; Hard disks not infected.


Interrupts hooked...... Int 13h functions 2,3 (read,write).


Damage................. Destroys five blocks (as well as the boot

                        sector) upon infection, otherwise nothing.


Damage trigger......... ---


Particularities........ The virus looks whether attempts are made to

                        read the boot sector; in this case, the virus

                        transfers the original boot sector. The virus

                        can therefore not be identified with utilities

                        such as PC-TOOLS or NORTON  UTILITIES.


                        An infected boot sector contains the following

                        typical text:


                        "Welcome to the Dungeon (c) 1986 Basit &

                        Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0

                        Dedicated to the dynamic memories of millions

                        of virus who are no longer with us today -

                        Thanks GOODNESS!! BEWARE OF THE er..VIRUS:

                        \this program is catching   program follows

                        after these messeges..... $#%$!!  ";


                        this text is never displayed.


Similarities........... Similar to all viruses of Pakistani/Brain

                        strain.


----------------------- Agents ------------------------------


Countermeasures........ ----


Countermeasures successful ---


Standard Means......... The DOS command "SYS n:" (where n is the drive

                        of the infected disk) will disinfect the disk

                        IF AND ONLY IF you have booted from a clean

                        disk.  You will have to use utilities such as

                        PC-TOOLS to recover the "bad" sectors.


--------------------- Acknowledgements--------------------------------


Location............... VTC Hamburg, FRG

Classification by...... Morton Swimmer

Documentation by....... Morton Swimmer

Date................... June 29, 1989

Information source..... PC VIRUS LISTING (Jim Goodwin)



===================== End of SHOE-B v9.0 Virus ======================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live fro...
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all...
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs. ...
Read more