The Brain Virus

Copyright Dr Alan Solomon, 1986-1995

There has been much speculation about computer viruses in recent
months, mostly ill-informed.  I run a Data Recovery Centre;  people
come to me when they have lost all the data from their hard disks, and
I get it back for them.  Usually, the problem is caused by erasing the
wrong files, or data corruption;  sometimes the disk is totally dead
and has to be resuscitated.  Recently, I started getting people
coming to me with dead disks that they claimed had been infected with
a computer virus, so I decided to make some investigations.

First, it is worth explaining exactly what a virus is, and what it is
not.  There are programs around which, when run, erase all the data
from your hard disk, with various degrees of thoroughness.  Some
attack the partition record, some the boot sector, some delete files
and some format the disk.  All of these are recoverable, if the data
is important enough.  There is a way to erase the data beyond
recovery, but no-one has done it yet, and I'm not going to tell you
what it is.

The programs that do this are called Trojans, after the Trojan Horse.
They masquerade as innocent utilities (sometimes as popular existing
utilities) or as games;  while you play the game, the Trojan destroys
your data.  It is fairly easy to guard against Trojans;  I usually
write-protect my hard disk (see PC Plus .....) before running a
strange program, or even diskonnect it completely.  Trojans are spread
by people uploading them to bulletin boards;  from there they can be
downloaded, and may be spread by people copying Public Domain
diskettes, either privately or commercially.

The second kind of destroyer is the virus.  It is called a virus,
because it behaves like a biological virus.  The infection is spread
by contaminated diskettes, and attacks hard disks.  An infected hard
disk will infect diskettes put in the drive, and the infection can be
very contagious.  The virus will attach itself to any piece of
executable code (including the boot sector) and works by modifying
code on other disks.  After a preset time (or counter, or number of
events) the virus enters its destructive phase, at which point it
works like any Trojan.  Viruses can also be spread by Trojan programs
that apparently do what they claim do do, but which also infect the
disk with a virus which will detonate later.

A lot of people have asked me who would write such a program.  The
answer is not simple.  I can appreciate the technical challenge of
writing such a thing, and I can almost understand (but certainly do
not condone) someone who writes a virus that does something harmless
when it detonates, such as put up a message of peace and love on the
screen.  A destructive virus is simply vandalism, and you only have to
look around to see plenty of other examples of that.

The first disk that came to me with a claimed viral infection turned
out to be a simple case of a Maced disk.  The person using the
computer was what I call a tinker, and he'd been running Mace, Norton,
PC-Tools, Xtree - the lot.  He'd been running a cache, a disk
defragmenter, lots of memory resident software and any number of
Public Domain programs.  In my opinion, it was Mace that finally did
the trick.  Mace can often be quite safe when run alone, but when run
in conjunction with other programs, most reviewers have had their hard
disk trashed.  I unscrambled his disk, told him not to be quite so
brave, and sent him away.  No virus.

The second case sounded very like a virus.  The user was running some
clever disk tester, which was reporting that every twentieth track was
damaged.  He was fully backup up, so didn't need a data recovery, but
it sounded so regular that it might be a virus.  I asked him to come
round, and looked at his disk.  The disk was totally dead;  every
track was unreadable.  When I looked at the clever testing utility, I
found that it only looked at every twentieth track - that was why only
those were reported as bad.

The third report was of a virus that affected the printer.  I took
that about as seriously as you might imagine - it turned out that the
chap had a duff cable.  Most printer problems turn out to be the
cable.

Then a disk arrived through the post marked "Danger Virus Infected".
I didn't take it too seriously, and put it aside for later
examination.  It turned out to be the real McCoy.

I set up an examination room.  I set up a two-floppy machine, and
cleared out all unneeded diskettes.  I took in a few copies of Dos, a
few blank disks and my toolbox disks.  All these disks were write
enabled, since the whole purpose of the exercise was to get infected -
normally I write protect all disks unless I intend writing to them.
The "infected" disk was a bootable disk, so I booted off it;  it
seemed normal.  I had a look at it with Norton, and it looked quite
ordinary.  So I put in my Dos disk with Format on it, formatted one of
the blank disks;  again I looked at it and it looked normal.  I tried
copying files to and from disks, I checked through the Command.com and
other system files using Debug and saw nothing unusual.  Then I
realised that I'd been using a potentially suspect version of DOS, so
I rebooted from my Dos disk, and had another look around.  Everything
looked tickety-boo.

I had another look at the original contaminated disk using one of the
tools I use for data recoveries, and noticed something unusual.  There
were a few bad sectors on the disk - this is fairly normal and not at
all harmful, except there didn't seem to be very many bad sectors.  I
ran CHKDSK and it reported 3K in bad sectors, and I knew something
fishy was going on.

When FORMAT formats a diskette, if it finds a defect on a track, it
marks the entire track as bad, plus any sectors that would be linked
to one of the bad sectors in a cluster.  So the minimum amount of bad
sectors is 5K, and bad sectors are usually a multiple of that.  There
is no way that DOS can format a disk with 3K of bad sectors.

DOS marks a cluster as bad by putting hexadecimal FF7 in the
corresponding entry in the File Allocation Table (FAT).  This marker
tells DOS not to use that piece of disk for data, and normally, you
won't be able to read it because it will not even have been formatted.

I had a look at those bad clusters, using my disk exploring tool.
Sure enough, it was readable and full of code.  This disk was
infected!  I had another look at the boot sector, and it was normal,
so I was completely baffled.  The virus was somehow copying itself
onto the disk, but it wasn't affecting any executable file;  I had a
look at a blank disk, and that also had the code in the 3K of bad
clusters, and definitely no executable file.  So how could the virus
spread itself?  I had another look at the boot sector, and that was
still normal.

At that point, I sat down and had a good think - I often find that
thinking is a good substitute for flailing around at random.  There
had to be some copying mechanism, otherwise how could the virus spread
itself?  And if the copier wasn't a patched executable file, it had to
be the boot sector, but the boot sector was clean.  Then it hit me -
how did I know that the boot sector was clean?

I went and got a clean copy of DOS, on a diskette with a write-protect
tab.  I booted of this disk, and had a look at the boot sector of the
infected disk.  What I saw was horrifying (see figure 1).  I looked at
the other diskettes, and saw the same thing on each boot sector.  I
had managed to infect just about every diskette that I'd taken into
that room with me, including some of my toolbox disks.

              << FIGURE 1 >>

The contents of the boot sector, reproduced exactly as seen.

Welcome to the  Dungeon
(c) 1986 Brain & Amjads (pvt) Ltd
VIRUS_SHOE  RECORD   v9.0
Dedicated to the dynamic memories
of millions of virus who are no longer with us
today - Thanks GOODNESS!!
BEWARE OF THE er..VIRUS  : \this program is catching
program follows after these messeges..... $#@%$@!!

             << END FIGURE 1 >>

This was not, of course, a disaster.  I had taken only a limited
number of disks into the room, and now all I had to do was assume that
they were all infected.  I could kill the virus by formatting them,
but only if the computer had been booted from an uninfected diskette.

The real horror was that even an experienced disk expert like myself
had nearly fallen for the virus's method of camouflage;  the ordinary
programmer wouldn't stand a chance.

Now that I understood what was going on, I could really begin to
investigate.  I worked from a machine that had been booted from a
clean DOS disk.  I captured the 3K of bad sectors into a file, and
disassembled the code.  It looks like it has been written in
assembler;  figure 2 is a fragment of its code, showing how it
captures the ROM Bios diskette handler, and replaces it with its own
code.  Every time a diskette is accessed (whether to do a DIR, or even
to log on to the drive) the virus's code is copied onto that diskette.
Every time a computer is booted from an infected diskette, the
computer is infected with the virus, and will infect other diskettes.
Even if the diskette is not a boot disk, then trying to boot from it
will infect the computer, and when you do put in a boot disk and boot
from it, the computer remains infected and that boot disk becomes
infected.

                        << FIGURE 2 >>

The code that installs the Brain diskette handler.

	XOR	AX,AX   	;Zero the AX register
	MOV	DS,AX		;Zero the data segment register

	MOV	AX,[004CH]      ;Move the interrupt vector
	MOV	[01B4H],AX      ;13H to vector 6DH. 13H is the
	MOV	AX,[004EH]      ;diskette interrupt routine
	MOV	[01B6H],AX

	MOV	AX,0276H        ;Put the Brain diskette routine
	MOV	[004Ch],AX      ;into the place where
	MOV	AX,CS           ;interrupt 13H used to be.
	MOV	[004Eh],AX

             << END FIGURE 2 >>

So how was the virus hiding its boot sector from me?  Well, it needed
a copy of the genuine boot sector in order to complete the boot
process and load DOS, after it finished loading itself.  So it stores
a copy of the original boot sector on one of those bad clusters.  When
you ask to see sector zero (the boot sector), it simply shows you that
sector instead and you are fooled into thinking all is well.

The safest way to disinfect a computer is to switch it off, then boot
from a disk that is known to be uninfected.  The safest way to
disinfect a disk is to copy any necessary data files off it, then
format the disk.

There is a lot of code in this virus - more than I have so far
disassembled.  So I can't say with certainty exactly what it does.
But that doesn't matter anyway, because no doubt there are many
versions of it around, doing slightly different things. This version
doesn't seem to affect hard disks, but it could have a self-modifier
that changes it. And anyway, this is only one virus of many.

One definite effect of the virus is to put a volume label onto the
disk, leaving a gap of a few directory entries.  That means that DOS
can't see the entry until the disk fills up a bit, and at that point
the volume label "(c) Brain" suddenly appears on the disk.  At that
point, you know you've been infected for some time, and have probably
spread the infection far and wide.

So what can you do?  The main thing is to be hygienic;  you wouldn't
put something in your mouth unless you were sure what it was, and you
shouldn't put anything in your disk drive unless you are quite sure of
its origin.  Be particularly wary of pirated software - that can
easily carry a virus, and make sure that you get all your software
from a reputable source, such as a User Group.