Brother
Brother
Type File virus
Creator Qark
Date Discovered 1994.07
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length 623 bytes

Brother was a memory-resident encrypted infecter of MS-DOS .COM files, including COMMAND.COM. It appeared in issue 1 of VLAD magazine released in July of 1994.

Behavior

Brother goes resident by reducing the size field of the MCB of the host file if it is the last MCB and moving itself to the now unallocated space. Once INT 21h is hooked, .COM files are infected on Execute, Extended Open, Chmod and Rename calls. Files are marked as infected by setting the 'seconds' field of the time-stamp to 62.

Like other members of the 'Incest' family, Brother checks for file extension but only handles upper-case Brother also attempts to delete Central Point Anti-Virus and Microsoft Anti-Virus checksum databases ("chklist.cps" and "chklist.ms").

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License