Brother | |
---|---|
Type | File virus |
Creator | Qark |
Date Discovered | 1994.07 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com |
Infection Length | 623 bytes |
Brother was a memory-resident encrypted infecter of MS-DOS .COM files, including COMMAND.COM. It appeared in issue 1 of VLAD magazine released in July of 1994.
Behavior
Brother goes resident by reducing the size field of the MCB of the host file if it is the last MCB and moving itself to the now unallocated space. Once INT 21h is hooked, .COM files are infected on Execute, Extended Open, Chmod and Rename calls. Files are marked as infected by setting the 'seconds' field of the time-stamp to 62.
Like other members of the 'Incest' family, Brother checks for file extension but only handles upper-case Brother also attempts to delete Central Point Anti-Virus and Microsoft Anti-Virus checksum databases ("chklist.cps" and "chklist.ms").
Sources
Original research by JPanic aka @JPanicVX