Path: utzoo!attcan!uunet!mcvax!hp4nl!telmail!neabbs!animaldb From: animaldb@neabbs.UUCP (DRIES BESSELS) Newsgroups: comp.sys.ibm.pc Subject: Re: Anyone infected by "Brain" virus? Message-ID: <34734@neabbs.UUCP> Date: 22 Sep 88 19:49:20 GMT Organization: NEABBS multi-line BBS +31-20-717666 (12x), Amsterdam, Holland Lines: 52 Hello Richard, here is part of the article. The rest was about the question if this virus could infect a DEC computer. Not really usefull in this context so I chose only the description of the virus QOUTE The Brain virus does neither of these. Instead, it attaches itself to the boot sector of the diskette, and patches the boot process to execute the virus code. But the virus is too big for the boot sector, so the body of the virus is stored further down the diskette. To avoid detection, it isn't stored as a file; instead it is stored as 3K of bad sectors. If you know DOS, this is a real giveaway, as a diskette with bad sectors will have a minimum of 5K bad. When DOS finds a bad sector on formatting the diskette, it marks the whole track as bad. If you boot from an infected diskette, you get an infected computer. If you have an infected computer, then any diskette that you put in drive A becomes infected, simply by accessing the diskette. Even a simple DIR will infect the diskette, or even logging on to the drive if you have $P$G in your prompt. If you then look at the boot sector of the infected diskette using Norton, PC Tools or any other simple disk sector editor, you'll see a normal boot sector. That is because the virus intercepts the attempt to read the boot sector, and feeds back a copy of the original boot sector which it has stored in its body. It also uses this original boot sector to complete the boot process, after it has installed itself. The big question is what does it do when it detonates. The answer is that it doesn't really matter, because clever hackers will already be modifying it, and anyway it isn't the only virus around. The safest thing is to assume the worst. This is a total corruption of all data and backups, which could be accomplished by simply writing a byte of zero at random intervals to a random location on the disk. By the time the problem is discovered, the corrupted data will have propagated over all the backups. Dr Alan Solomon 31, Holloway Lane Amersham Bucks HP6 6DJ or phone 0494 728095 BBS 0494 724946 UNQOUTE PLease contact this guy for more info, think he is one of the best people to consult on this. Let me know what happens... Agan, good luck, dries bessels Amsterdam, Holland