|Type||Boot sector virus|
|Creator||Basit Farooq Alvi|
|Place of Origin||Lahore, Pakistan|
|Infection Length||3,000 to 7,000 bytes|
The Brain virus is considered the first PC virus. It infects 360 kilobyte, 5.25 inch floppy disks. Brain was also the first full-stealth virus. It is sometimes mistakenly referred to as the first virus.
When an infected disk is booted, the virus intalls itself into the memory and takes up memory in the range of 3-7 kilobytes. It does not infect the hard disk, but will infect any other floppy disk accessed while it is in memory. The disks can be infected by being accessed in any way. The virus then stores the original boot sector and six extension extension sectors containing the main body of the virus in the disk's available sectors, which are then flagged as bad. Infected disks will have 3 kilobytes or more of bad sectors, as most usually have none or as many as 5 kilobytes of genuinely bad sectors. It renames the disk's volume label with (c)Brain.
The virus has stealth capabilities because any time infected sectors are accessed, the accessing program will be redirected to the stored original boot sector. An early disk utility such as PC Tools, Norton Utilities or PC Medic would be unable to see the virus.
Brain carries a message that is never displayed, but can be seen with a binary editor:
Welcome to the Dungeon © 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............ $# @%$@!!
The virus does no intentional damage, although it may slow down disk access and cause timeouts, which can make some disks unusable. The first problems with the virus were not reported until about a year later. In 1987, computer users at the University of Delaware reported seeing the (c)Brain label on their disks. 100 machines were infected at the Providence Journal-Bulletin in 1988. One reporter, Froma Joselow, claimed to have lost several months of work contained on a floppy disk (hard to imagine today, but quite possible, given the size of files in 1988).
Brain gets its name from the fact that it changes the name of the disk volume label to (c)Brain. Sometimes the copyright symbol or (c) is added before the word Brain, making the name (c)Brain. The creators likely chose the name because their of their store was Brain Computer Services. As this virus came before there was even any pretense at coherent virus naming, it can go by a few other names, but few publications or antivirus companies today use any name other than Brain. The other names can include Pakistani Flu, Lahore, Pakistani, Basit Virus and UIUC.
- Avast!: Brain
- Avira: Brain #2
- ClamAV: Brain.2
- Doctor Web: Brain.dropper
- F-Prot: BOOT SECTOR DROPPER
- F-Secure: Brain
- Grisoft: Brain
- Kaspersky Lab: Virus.Boot.Brain.a or Brain.a
- McAfee: BtDr.Brain
- Panda: Brain.1986
- RAV: Brain.A
- Bitdefender: Trojan.Dropper.Boot.Brain.A
- Sophos: Brain drop
- Symantec: Brain
- Trend Micro: (C)BRAIN
Probably because Brain was such an early virus, there were few people interested in creating variants of the virus. Still, a few minor variations of the virus do exist. Most of them are simple changes to the text.
This variant can infect the hard drive.
Brain.C, like B can infect the hard drive, but it does not change the volume label.
Similar to Brain.C, but the messages are removed and replaced with non-printable code that looks like random characters in a binary editor.
This is a subvariant of Clone corrupts the File Allocation Table (FAT) if it is booted after 1992.05.05.
This one is similar to Brain.B in most ways, except the message is modified to say
Welcome to the Dungeon © 1986 Brain & Amjads (pvt) Ltd. VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS :This program is catching program follows after these messeges..... $# @%$@!!
This variant is also known as Ashar, and some sources say that it may actually be older than the original.
There are some disagreements on this virus. There is a version of the Shoe variant that cannot infect hard disks and one in which the v9.0 has been changed to v9.1
In this variant, the message is truncated in one line.
This variant contains the text "(C) Jork & Amjads (pvt) Ltd".
The copyright date on this virus is 1988 as opposed to 1986. The text through to the addresses and phone numbers of the creators is the same. After the phone numbers, it contains some different text:
Ver (Singapore) Beware of this "virus". It will transfer to a million of Diskettes... $# @%$@!!
Brain is the only virus in existence that contains the valid names, phone numbers and addresses of the creators. Basit and Amjad Farooq Alvi, of the Chahmiran neighborhood, in Lahore, Pakistan created the virus to infect machines running pirated copies of a program he sold for physicians.
Virdem, the first file virus for an IBM-compatible running DOS, appeared almost a year later. Shoerec and a number of other viruses pay tribute to this one in their payloads or texts inside the virus body.
David Stang. National Computer Security Association, Information on the Brain Virus And Variants
Virus Report, Brain Virus
Philip Elmer-Dewitt. Time, "Invasion of the Data Snatchers". 1988.09.26 (Formerly available to everyone online, now asking for a subscription)
The New York Times, Newspaper's Computer Is Infected With a 'Virus'. 1988.05.25
Trend Micro Antivirus, (C)BRAIN (Pages for this virus have been removed, new pages are mostly empty of the information in the old ones, not accessible through the Wayback Machine)
Wiki Books, Brain Assembly Source
Hasan Mubarak. Metablogging Lahore, Lahore's 5th Gift to the World: Virus Threat Realization. 2006.12.04
Jeremy Paquette. Security Focus, A History of Viruses 2000.07.17
Joe Hirst. British Computer Virus Research Centre, List of Known PC Viruses