Fandom

Malware Wiki

Brain

1,319pages on
this wiki
Add New Page
Comment1 Share

Brain is a the first full-stealth virus on MS-DOS. It infects 360KB, 5.25 inch floppy disks. It's sometimes mistakenly referred to as the first virus; when it fact, it was just one of the first viruses that infect removable media.

BehaviorEdit

When an infected disk is booted, the virus installs itself into the memory and takes up memory in the range of 3-7 kilobytes. It does not infect the hard disk, but will infect any other floppy disk accessed while it is in memory. The disks can be infected by being accessed in any way. The virus then stores the original boot sector and six extension extension sectors containing the main body of the virus in the disk's available sectors, which are then flagged as bad. Infected disks will have 3 kilobytes or more of bad sectors, as most usually have none or as many as 5 kilobytes of genuinely bad sectors. It renames the disk's volume label with "(c)Brain".

The virus has stealth capabilities because any time infected sectors are accessed, the accessing program will be redirected to the stored original boot sector. An early disk utility such as PC Tools, Norton Utilities or PC Medic would be unable to see the virus.

Brain carries a message that is never displayed, but can be seen with a binary editor:

Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN
PHONE :430791,443248,280530.
Beware of this VIRUS....
Contact us for vaccination............  $#@%$@!!

This virus can be deleted by another virus, Denzuko.

EffectsEdit

The virus does no intentional damage, although it may slow down disk access and cause timeouts, which can make some disks unusable. The first problems with the virus were not reported until about a year later. In 1987, computer users at the University of Delaware reported seeing the (c)Brain label on their disks. 100 machines were infected at the Providence Journal-Bulletin in 1988. One reporter, Froma Joselow, claimed to have lost several months of work contained on a floppy disk (hard to imagine today, but quite possible, given the size of files in 1988).

Other FactsEdit

Brain is the only virus in existence that contains the valid names, phone numbers and addresses of the creators. Basit and Amjad Farooq Alvi, of the Chahmiran neighborhood, in Lahore, Pakistan created the virus to infect machines running pirated copies of a program he sold for physicians.

NameEdit

Brain gets its name from the fact that it changes the name of the disk volume label to (c)Brain. Sometimes the copyright symbol or (c) is added before the word Brain, making the name (c)Brain. The creators likely chose the name because the name of their store was Brain Computer Services. As this virus came before there was even any pretense at coherent virus naming, it can go by a few other names, but few publications or antivirus companies today use any name other than Brain. The other names can include Pakistani Flu, Lahore, Pakistani, Basit Virus and UIUC.

Antivirus AliasesEdit

  • Virus Encyclopedia full name: Virus/Boot/DOS/Brain
  • Avast!: Brain
  • Avira: Brain #2
  • ClamAV: Brain.2
  • Doctor Web: Brain.dropper
  • F-Prot: BOOT SECTOR DROPPER
  • F-Secure: Brain
  • Grisoft: Brain
  • Kaspersky Lab: Virus.Boot.Brain.a or Brain.a
  • McAfee: BtDr.Brain
  • Panda: Brain.1986
  • RAV: Brain.A
  • Bitdefender: Trojan.Dropper.Boot.Brain.A
  • Sophos: Brain drop
  • Symantec: Brain
  • Trend Micro: (C)BRAIN

VariantsEdit

Probably because Brain was such an early virus, there were few people interested in creating variants of the virus. Still, a few minor variations of the virus do exist. Most of them are simple changes to the text.

Brain.BEdit

This variant can infect the hard drive.

Brain.CEdit

Brain.C, like B can infect the hard drive, but it does not change the volume label.

Brain.CloneEdit

Similar to Brain.C, but the messages are removed and replaced with non-printable code that looks like random characters in a binary editor.

Brain.Clone.BEdit

This is a subvariant of Clone corrupts the File Allocation Table (FAT) if it is booted after 1992.05.05.

Brain.ShoeEdit

This one is similar to Brain.B in most ways, except the message is modified to say

  Welcome to the Dungeon
  © 1986  Brain & Amjads (pvt) Ltd.
  VIRUS_SHOE RECORD v9.0
  Dedicated to the dynamic memories
  of millions of virus who are no longer with us today -
  Thanks GOODNESS!!
  BEWARE OF THE er..VIRUS :This program is catching
  program follows after these messeges.....  $#@%$@!!

This variant is also known as Ashar, and some sources say that it may actually be older than the original.

Brain.Shoe.BEdit

There are some disagreements on this virus. There is a version of the Shoe variant that cannot infect hard disks and one in which the v9.0 has been changed to v9.1

Brain.TerseShoeEdit

In this variant, the message is truncated in one line.

Brain.JorkEdit

This variant contains the text "(C) Jork & Amjads (pvt) Ltd".

Brain.SingaporeEdit

The copyright date on this virus is 1988 as opposed to 1986. The text through to the addresses and phone numbers of the creators is the same. After the phone numbers, it contains some different text:

  Ver (Singapore) Beware of this "virus". It will transfer to a million of Diskettes... $#@%$@!!

SourcesEdit

David Stang. National Computer Security Association, Information on the Brain Virus And Variants

Virus Report, Brain Virus

Philip Elmer-Dewitt. Time, "Invasion of the Data Snatchers". 1988.09.26

The New York Times, Newspaper's Computer Is Infected With a 'Virus'. 1988.05.25

Trend Micro Antivirus, (C)BRAIN

Wiki Books, Brain Assembly Source

Hasan Mubarak. Metablogging Lahore, Lahore's 5th Gift to the World: Virus Threat Realization. 2006.12.04

Jeremy Paquette. Security Focus, A History of Viruses 2000.07.17

Joe Hirst. British Computer Virus Research Centre, List of Known PC Viruses

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.