Wikia

Virus Information

Brain

Talk0
228pages on
this wiki
Brain
Type Boot sector virus
Creator Basit Farooq Alvi
Date Discovered 1986.01
Place of Origin Lahore, Pakistan
Source Language Assembly
Platform MS DOS
Infection Length 3,000 to 7,000 bytes
Reported Costs

The Brain virus is considered the first PC virus. It infects 360 kilobyte, 5.25 inch floppy disks. Brain was also the first full-stealth virus. It is sometimes mistakenly referred to as the first virus.

BehaviorEdit

When an infected disk is booted, the virus intalls itself into the memory and takes up memory in the range of 3-7 kilobytes. It does not infect the hard disk, but will infect any other floppy disk accessed while it is in memory. The disks can be infected by being accessed in any way. The virus then stores the original boot sector and six extension extension sectors containing the main body of the virus in the disk's available sectors, which are then flagged as bad. Infected disks will have 3 kilobytes or more of bad sectors, as most usually have none or as many as 5 kilobytes of genuinely bad sectors. It renames the disk's volume label with (c)Brain.

The virus has stealth capabilities because any time infected sectors are accessed, the accessing program will be redirected to the stored original boot sector. An early disk utility such as PC Tools, Norton Utilities or PC Medic would be unable to see the virus.

Brain carries a message that is never displayed, but can be seen with a binary editor:

  Welcome to the Dungeon
  © 1986 Basit & Amjad (pvt) Ltd.
  BRAIN COMPUTER SERVICES
  730 NIZAB BLOCK ALLAMA IQBAL TOWN
  LAHORE-PAKISTAN
  PHONE :430791,443248,280530.
  Beware of this VIRUS....
  Contact us for vaccination............  $#@%$@!!


EffectsEdit

The virus does no intentional damage, although it may slow down disk access and cause timeouts, which can make some disks unusable. The first problems with the virus were not reported until about a year later. In 1987, computer users at the University of Delaware reported seeing the (c)Brain label on their disks. 100 machines were infected at the Providence Journal-Bulletin in 1988. One reporter, Froma Joselow, claimed to have lost several months of work contained on a floppy disk (hard to imagine today, but quite possible, given the size of files in 1988).

Other FactsEdit

Brain is the only virus in existence that contains the valid names, phone numbers and addresses of the creators. Basit and Amjad Farooq Alvi, of the Chahmiran neighborhood, in Lahore, Pakistan created the virus to infect machines running pirated copies of a program he sold for physicians.

NameEdit

Brain gets its name from the fact that it changes the name of the disk volume label to (c)Brain. Sometimes the copyright symbol or (c) is added before the word Brain, making the name (c)Brain. The creators likely chose the name because their of their store was Brain Computer Services. As this virus came before there was even any pretense at coherent virus naming, it can go by a few other names, but few publications or antivirus companies today use any name other than Brain. The other names can include Pakistani Flu, Lahore, Pakistani, Basit Virus and UIUC.

Antivirus AliasesEdit

  • Avast!: Brain
  • Avira: Brain #2
  • ClamAV: Brain.2
  • Doctor Web: Brain.dropper
  • F-Prot: BOOT SECTOR DROPPER
  • F-Secure: Brain
  • Grisoft: Brain
  • Kaspersky Lab: Virus.Boot.Brain.a or Brain.a
  • McAfee: BtDr.Brain
  • Panda: Brain.1986
  • RAV: Brain.A
  • Bitdefender: Trojan.Dropper.Boot.Brain.A
  • Sophos: Brain drop
  • Symantec: Brain
  • Trend Micro: (C)BRAIN

VariantsEdit

Probably because Brain was such an early virus, there were few people interested in creating variants of the virus. Still, a few minor variations of the virus do exist. Most of them are simple changes to the text.

Brain.BEdit

This variant can infect the hard drive.

Brain.CEdit

Brain.C, like B can infect the hard drive, but it does not change the volume label.

Brain.CloneEdit

Similar to Brain.C, but the messages are removed and replaced with non-printable code that looks like random characters in a binary editor.

Brain.Clone.BEdit

This is a subvariant of Clone corrupts the File Allocation Table (FAT) if it is booted after 1992.05.05.

Brain.ShoeEdit

This one is similar to Brain.B in most ways, except the message is modified to say

  Welcome to the Dungeon
  © 1986  Brain & Amjads (pvt) Ltd.
  VIRUS_SHOE RECORD v9.0
  Dedicated to the dynamic memories
  of millions of virus who are no longer with us today -
  Thanks GOODNESS!!
  BEWARE OF THE er..VIRUS :This program is catching
  program follows after these messeges.....  $#@%$@!!

This variant is also known as Ashar, and some sources say that it may actually be older than the original.

Brain.Shoe.BEdit

There are some disagreements on this virus. There is a version of the Shoe variant that cannot infect hard disks and one in which the v9.0 has been changed to v9.1

Brain.TerseShoeEdit

In this variant, the message is truncated in one line.

Brain.JorkEdit

This variant contains the text "(C) Jork & Amjads (pvt) Ltd".

Brain.SingaporeEdit

The copyright date on this virus is 1988 as opposed to 1986. The text through to the addresses and phone numbers of the creators is the same. After the phone numbers, it contains some different text:

  Ver (Singapore) Beware of this "virus". It will transfer to a million of Diskettes... $#@%$@!!

SourcesEdit

David Stang. National Computer Security Association, Information on the Brain Virus And Variants

Virus Report, Brain Virus

Philip Elmer-Dewitt. Time, "Invasion of the Data Snatchers". 1988.09.26

The New York Times, Newspaper's Computer Is Infected With a 'Virus'. 1988.05.25

Trend Micro Antivirus, (C)BRAIN

Wiki Books, Brain Assembly Source

Hasan Mubarak. Metablogging Lahore, Lahore's 5th Gift to the World: Virus Threat Realization. 2006.12.04

Jeremy Paquette. Security Focus, A History of Viruses 2000.07.17

Joe Hirst. British Computer Virus Research Centre, List of Known PC Viruses

Around Wikia's network

Random Wiki