Information on the Brain Virus And Variants
Prepared by David Stang
National Computer Security Association
Suite 309, 4401-A Connecticut Avenue NW
Washington, DC 20008
(202) 364-8252 (voice)
(202) 364-1304 (BBS)
This material (c) 1989 NCSA. It may not be reproduced
without attribution to the NCSA.

Synonyms: Pakistani Brain, Basit Virus.

This virus originated in January, 1986, in Lahore
Pakistan, but the first noticeable infection problems
did not surface until 1988.  In the spring of 1988, for
instance, 100 machines at The Providence Journal-Bulletin
were infected with it. 

The Brain is the only virus yet discovered that
includes the valid names address and phone numbers of
the original perpetrators. It was written by two
brothers running a computer store in Lahore Pakistan.
According to some sources, Basit Farooq Alvi, one of
the brothers, wrote the virus so that it would infect
machines running bootleg copies of a program he was
selling for physicians. The original Brain put a
copyright notice in the directory of floppy disks, but
did no other damage.

The Brain is a boot sector infector, approximately 3 K
in length, that infects 5 1/4" floppies. It cannot
infect hard disks. It will infect a diskette whenever
the diskette is referenced. For example, a Directory
command, executing a program from the diskette, copying
a file from or to the diskette or any other access will
cause the infection to occur. The virus stores the
original boot sector, and six extension sectors,
containing the main body of the virus, in available
sectors which are then flagged as bad sectors. 
Diskettes have 3K of bad sectors (the normal numbers
are none at all, or 5K, or sometimes more).

No known intentional damage.  Unintentional damage: it
slows down diskette accesses and causes time-outs,
which can make some diskette drives unusable.

The virus is able to hide from detection by
intercepting any interrupt that might interrogate the
boot sector and re-directing the read to the original
boot sector. Thus, programs like the Norton Utilities
will be unable to see the virus.

Infected diskettes are noticeable by "@BRAIN" or "(c)
BRAIN" displayed in the volume label.



		Brain-B

Synonyms: Brain-HD, the Hard Disk Brain, Houston Virus.

This virus is identical in every respect to the
original Brain, with the single exception that it can
infect the C drive. 



		Brain-C

This virus is the Brain-B that has the volume label
code removed. The volume label of infected diskettes
does not change with this virus. This virus was
difficult to detect since it does nothing overt in the
system.



		Clone Virus

This virus is the Brain-C that saves the original boot
copyright label and restores it to the infected boot.
The Basit & [A]mjad original Brain messages have been
replaced with non-printable garbage that looks like
instructions if viewed through Norton or other utility.
Even if the system is booted from a clean diskette, it
is virtually impossible to tell, by visual inspection,
whether the hard disk is infected. 



		Shoe_virus

Synonym: UIUC Virus.

This virus is the Brain-B virus that has been modified
to include the message - "VIRUS_SHOE RECORD, v9.0.
Dedicated to the dynamic memories of millions of virus
who are no longer with us today". The message is never
displayed.

This might be identified with the Ashar vrus, as there
is a VIRUS_SHOES RECORD v9.0 with the identifying
string "ashar" at offset 04a6hex.



		Shoe_virus-B

Experts disagree on the classification of this.

@BULLET = It may be the Shoe_Virus that has been
modified to so that it can no longer infect hard disks.
The v9.0 has been changed to v9.1.

@BULLET = There is a version of Brain with VIRUS_SHOE
RECORD v9.0 which is incapable of activating a virus
stored on hard disk due to the drive number being
hardwired into the read routine for loading the virus.
v9.1 may be the hard disk variant of Brain.



		Clone-B

This is the Clone virus that has been modified to
corrupt the FAT when it is booted after May 5, 1992.
There are no other apparent modifications.



		Jork Virus

This virus is the Shoe_virus with the identifying text
at offset 0010hex reduced to "Welcome to the Dungeon
(c) 1986 Brain", with the text at 0202hex reading "(c)
1986 Jork & Amjads (pvt) Ltd".



		Terse Shoe Virus

This is a variant of the Shoe-virus with the initial
text message truncated to a single line.

end of text. Prepared 12/7/89
