Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!ames!elroy.jpl.nasa.gov!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: davidf@CS.HW.AC.UK (David.J.Ferbrache) Newsgroups: comp.virus Subject: Ashar variant of Brain virus (PC) Message-ID: <0003.8907271315.AA12859@ge.sei.cmu.edu> Date: 27 Jul 89 09:55:01 GMT Sender: Virus Discussion List Lines: 129 Approved: krvw@sei.cmu.edu Message forwarded for the BCVRC, I have now had an opportunity to examine the version of Brain which Alan Solomon refers to as 'Ashar'. The differences are not sufficient to warrant a new name, and the further confusion (in an already confused field) that this would create. This IS Brain, but a version which creates a different label on a disk. Description of differences. The assumption is made in this description that the version which produces a label of ' (c) ashar ' is the changed version. This assumption has been made purely to aid description, although I hope to show that this is the more valid conclusion. The actual differences within the code are: 1. In three different places the code to initialise the disk sub-system is done before attempting to read or write instead of after an error has occurred. 2. The code to divert a read of the boot sector to the stored copy is no longer present. 3. The very complex routine to create the volume label is no longer present, and a much simpler routine is in its place which creates the label ' (c) ashar '. 4. The search of directory entry starts with the first entry and includes all of them, instead of starting with the third and not including the last two. 5. The search for free clusters starts with cluster 2 (the first) instead of with cluster 55. There are other differences, but these are trivial (e.g. a switch no longer exists). Other differences are in embedded but unreferenced text strings: 1. The primary text string on the boot sector is different in two places, although we already have other variations for one of these. This text string in the closest previous version read: DB 'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&' DB ' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 ' DB 'Dedicated to the dynamic memories of millions of' DB ' virus who are no longer with us today - Thanks ' DB 'GOODNESS!! BEWARE OF THE er..VIRUS : \thi' DB 's program is catching program follows after' DB ' these messeges..... $#@%$@!! ' The first two lines of this now read: DB 'Welcome to the Dungeon (c) 1986 ashar &' DB ' ashars (pvt) Ltd VIRUS_SHOE RECORD ' 2. In two different locations the string: DB '(c) 1986 Brain & Amjads (pvt) Ltd ' has been changed to: DB '(c) 1986 ashar & ashars (pvt) Ltd ' The locations are offset 202H and 355H, although the second offset becomes 305H in the modified version. 3. The string ' (c) Brain $' at offset 4A6H has been removed. Finally there are minor differences in unreferenced area which appear to be random rubbish (e.g. the area at the end of the first sector). Interpretation. It is fruitless to speculate about whether the 'VIRUS_SHOE' version or the 'telephone number' version is the earlier or original one. Even a confession by the author of the virus would now be suspect. Certainly the popular story of the origin of this virus has all the hallmarks of a modern fantasy, and can be discounted as irrelevant. I shall consider only whether this version is a rewrite of the 'VIRUS_SHOE' version, or vice versa as suggested by Alan Solomon. None of the evidence is conclusive, but such indications as there are clearly suggest that what we have is a new modification. The changes to the unreferenced strings do not include a change to the lengths, although one of these is now in a different location. This suggests that these changes were made separately to the virus via a disk editor, before the virus was disassembled to make the other changes. Initialising the disk sub-system before attempting to read or write is the more orthodox practice. A conventional programmer might well wish to conform to 'standard', but it is difficult to believe that a programmer would bother to change this to the alternative method. If a pseudo company name is to be created, implying two brothers (or other close family tie), the probable result would be 'ashar & ashar'. The most feasible explanation for the final 's' is that it was already there, and therefore easier to leave as 'ashar & ashars'. This is consistent with this change having been done before disassembly. Similarly, the spacing in the 'VIRUS_SHOE' version around the sub-string 'v9.0' is too consistent for it to be a later addition - particularly as there is no apparent reason for the corresponding gap in the 'ashar' version. The rest of the changes are tied together. The Brain virus is filled with misdirection concerning the volume label. The embedded string at offset 4A6H appears to be the label as used. Changing it will not affect the virus. The next thing a close examination might reveal is the encrypted ' (c) ashar ' immediately before the other string. This is obviously not the label either. I have seen a number of otherwise competent programmers foxed by the actual label routine. The label is embedded in code which is executed, but does very little, before it is used as data. It is my belief that having been disappointed twice, and having failed to discover the label, the programmer ripped out everything he (or she) did not understand. This included the redirection of the read to the boot sector, and the way that room has been left for the DOS system files in both the FAT and the directory. Joe Hirst British Computer Virus Research Centre 12 Guildford Street Brighton East Sussex BN1 3LS England Telephone: Domestic 0273-26105 International +44-273-26105