Brain

Additional Comments:
The Pakistani Brain virus originated in Lahore, Pakistan and infects disk boot sectors by moving the original contents of the boot sector to another location on the disk, marking those 3 clusters (6 sectors) bad in the FAT, and then writing the virus code in the disk boot sector. One sign of a disk having been infected, at least with the original virus, is that the volume label will be changed to "(c) Brain". Another sign is that the label "(c) Brain" can be found in sector 0 (the boot sector) on an infected disk. This virus does install itself resident on infected systems, taking up between 3K and 7K of RAM. The Brain virus is able to hide from detection by intercepting any interrupt that might interrogate the boot sector and redirecting the read to the original boot sector located elsewhere on the disk, thus some programs will be unable to see the virus. The original Brain virus only infected floppies, however variants to the virus can now infect hard disks. Also, some variants have had the "(c) Brain" label removed to make them harder to detect. Known variants of Brain are:

Some variants of the original virus no longer change the volume label to "(c) Brain".

The following text is contained within the viral code:

"Welcome to the Dungeon (c) 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............. !!"

The only way to infect a computer with a Master Boot Record (MBR)/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's boot sector and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.