BRAIN

Searching for the first PC virus in Pakistan

Brain virus

Brain is the oldest known virus on the PC platform and was first detected in 1986. Several variants of the virus are known and most of them are fairly harmless. It runs on IBM-PCs and compatibles running PC-DOS or IBM-DOS operating system.

Brain is a boot sector virus, infecting the first sector of floppies as they are inserted into an infected computer. Brain is only a few kilobytes in size and most of it is located in sectors that are marked as "bad" in the FAT. Also the original boot sector is stored in these sectors.

One of the most interesting details regarding the Brain virus is the following text, which appears inside it:
Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN PHONE :430791,443248,280530.
Beware of this VIRUS....
Contact us for vaccination............ $#@%$@!!

There are many variants of the virus with different texts. Here is another version:
Welcome to the Dungeon
(c) 1986 Brain & Amjads (pvt) Ltd.
VIRUS_SHOE RECORD v9.0
Dedicated to the dynamic memories
of millions of virus who are no longer with us today -
Thanks GOODNESS!! BEWARE OF THE er..VIRUS :This program is catching
program follows after these messeges..... $#@%$@!!

Infection

Before Brain infects diskettes, it looks for a “signature”. This makes it possible to “inoculate” against it by putting the signature in the correct place of the boot sector of a clean floppy. Such floppies would not get infected even if they are insterted into an infected computer.

Stealth

The Brain virus tries to hide from detection by hooking interrupt 13 which is used to read the hard drive. When an attempt is made to read an infected boot sector, Brain will show you the original boot sector instead. This means that if you look at the boot sector using DEBUG or any similar program, everything will look normal, if the virus is active in memory. This means that Brain was not only the first PC virus, it was also the first rootkit.

Activity

The major effect of this fairly harmless virus is a change of the disk label (the "name" of the disk). The volume label is changed to read: "©Brain"

Mikko Hypponen

Mikko

Mikko Hypponen, born in 1969, is the Chief Research Officer of F-Secure. He has worked for the company since 1991...

Pictures from the trip

Mikko Mikko Mikko Mikko Mikko Mikko Mikko Mikko

Trip to Pakistan

Mikko

We’ve had a diskette infected with the Brain virus in the
F-Secure Security Lab for as long as I can remember...