Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!bcm!dimacs.rutgers.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: p1@rlyeh.wimsey.bc.ca (Rob Slade) Newsgroups: comp.virus Subject: (c) BRAIN id and disinfection (PC) Message-ID: <0007.9101092021.AA06041@ubu.cert.sei.cmu.edu> Date: 8 Jan 91 19:56:34 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu ecs50145@zach.fit.edu ( COLDENHOFF) writes: > I do not quite understand how this boot sector virus was able to > contaminate my disks without actually booting from them. Does DOS Someone recently explained this, although I can't remember the terms he used for the different "processes". Again, though, if you stick the disk in the A: drive and power on, "reset" or , then the program on the boot sector of the A: drive disk will be loaded. Even on a "non-system" disk there is a program in the boot sector. It usually prints "Non-system disk. Replace and press any key to continue" on the screen. A BRAIN infected disk will load BRAIN into memory *and then* run that message. You remove the disk and replace with the proper system disk and hit a key, and the machine "boots" the proper system files *but BRAIN is still active.* And, of course, infects any disk it reads from then on. > Does anybody know what the typical virus scanner looks for in > reference to this virus? I hope it doesn't just look for the label - Interesting that the (c) BRAIN label doesn't show up on your disks. As BRAIN was one of the very early viri, and fairly obtrusive, it is also one of the most widely "altered" viri. However, if you have a version that is even *close* to the original, most of the scanners should find it. The early "hackers" didn't do much messing with it's core code. You can probably it yourself. PCTOOLS, F-BOOT and many other utilities will "show" you the boot sector contents, and there is a lot of text in BRAIN so it should be obvious. (You can even do it with DEBUG if you can find the right numbers.) Disinfection is fairly easy. F-DISINF works perfectly, SCAN/D should work OK, even good old SYS will take care of BRAIN. Provided you "boot clean" first.