Path: utzoo!attcan!uunet!mcvax!hp4nl!telmail!neabbs!animaldb
From: animaldb@neabbs.UUCP (DRIES BESSELS)
Newsgroups: comp.sys.ibm.pc
Subject: Re: Anyone infected by "Brain" virus?
Message-ID: <34734@neabbs.UUCP>
Date: 22 Sep 88 19:49:20 GMT
Organization: NEABBS multi-line BBS +31-20-717666 (12x), Amsterdam, Holland
Lines: 52

Hello Richard,
here is part of the article. The rest was about the question if this
virus could infect a DEC computer. Not really usefull in this context
so I chose only the description of the virus
QOUTE
The Brain virus does neither of these.  Instead, it attaches itself to
the boot sector of the diskette, and patches the boot process to
execute the virus code.  But the virus is too big for the boot sector,
so the body of the virus is stored further down the diskette.  To
avoid detection, it isn't stored as a file;  instead it is stored as
3K of bad sectors.  If you know DOS, this is a real giveaway, as a
diskette with bad sectors will have a minimum of 5K bad.  When DOS
finds a bad sector on formatting the diskette, it marks the whole
track as bad.
 
If you boot from an infected diskette, you get an infected computer.
If you have an infected computer, then any diskette that you put in
drive A becomes infected, simply by accessing the diskette.  Even a
simple DIR will infect the diskette, or even logging on to the drive
if you have $P$G in your prompt.
 
If you then look at the boot sector of the infected diskette using
Norton, PC Tools or any other simple disk sector editor, you'll see a
normal boot sector.  That is because the virus intercepts the attempt
to read the boot sector, and feeds back a copy of the original boot
sector which it has stored in its body.  It also uses this original
boot sector to complete the boot process, after it has installed
itself.
 
The big question is what does it do when it detonates.  The answer is
that it doesn't really matter, because clever hackers will already be
modifying it, and anyway it isn't the only virus around.  The safest
thing is to assume the worst.  This is a total corruption of all
data and backups, which could be accomplished by simply writing a byte
of zero at random intervals to a random location on the disk.  By the
time the problem is discovered, the corrupted data will have
propagated over all the backups.
 
Dr Alan Solomon
31, Holloway Lane
Amersham
Bucks HP6 6DJ
or phone 0494 728095
BBS 0494 724946
 
UNQOUTE
 
PLease contact this guy for more info, think he is one of the best
people to consult on this. Let me know what happens...
Agan, good luck,
dries bessels
Amsterdam, Holland