Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!apple!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!ubu.cc.lehigh.edu!virus-l From: rtc@bally.Bally.COM (Reynolds Cafferata) Newsgroups: comp.virus Subject: Re: Request for info on viruses (PC) Message-ID: <0002.8906261553.AA06853@spot.CC.Lehigh.EDU> Date: 21 Jun 89 00:25:58 GMT Sender: Virus Discussion List Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU Lines: 28 Approved: virus-l@ubu.cc.lehigh.edu (C)Brain infected many disks at the George Washington University. It is a product of some guy in Pakistan. The only saving grace to this virus is that it changes the volume name, as you must have noticed when it infects a disk. The virus replaces command.com with a new version that is stored in some bad sectors on the disk. THe new command.com has two nasty functions. First, when ever the disk is accessed, it checks to see if the disk being accessed is infected. If it isn't then it infects that disk. Second, it will periodically add more bad sectors to disks. The virus can only be loaded by booting the computer with an infected disk. It becomes a big problem in environments were people sit down and use already booted machines. A printer pc was the main distributor of the virus at GWU. The version we faced did not seem to affect hard disks. The simplest cure we found was to boot a system with a disk that we were positive was not infected, and then read the first sector off of that disk with a block & track editor. Finally, write the good 1st sector onto the infected disk. Be sure to write a booting sector to boot disks and non-booting to non-booting disks. As for the bad sectors containing the command.com substitute, they are harmless without the companion boot sector and are best just left alone. This virus cost many of my friends a lot of data--we would love to meet the guy who wrote it in some dark alley. In any event, I hope this posting is helpful. Reyonlds Cafferata