Chapter 7 (c) Brain

The “Brain” virus is probably the earliest MS-DOS virus. At one time it was the most widespread of PC viral programs. (Yet more support for the “superiority” of boot sector viral programs in terms of numbers of infections.) Extensive study has been done on the Brain family, and those wishing further details should consult Alan Solomon’s analyses (which, unfortunately, are too detailed for full inclusion in the Anti-Virus Toolkit). In spite of this, and in spite of the existence of address and phone number information for the supposed author, we still have no first, second or even third hand reports of the production of the virus, and so little can be said with absolute certainty. (We do have a first hand report from the author of the Den Zuk variant, for which I am grateful to Fridrik Skulason.)

The Brain “family” is prolific, although less so than Jerusalem. (Seemingly, any “successful” virus spawns a plague of copies as virus-writer-wannabes use it as a template.) Again, like the Jerusalem, it seems that one of the lesser variants might be the “original”. The “ashar” version appears to be somewhat less sophisticated than the most common “Brain”, and Brain contains text which makes no sense unless it is “derived” from ashar. Brain contains other “timing” information: a “copyright” date of 1986, and an apparent “version” number of 9.0.

Brain is a boot sector infector, somewhat longer than some of the more recent BSIs. Brain occupies three sectors itself, and, as is usual with BSIs, repositions the normal boot sector in order to “mimic” the boot process. As the boot sector is only a single sector, Brain, in infecting a disk, reserves two additional sectors on the disk for the remainder of itself, plus a third for the original boot sector. This is done by occupying unused space on the diskette, and then marking those sectors as “bad” so that they will not be used and overwritten. The “original” Brain virus is relatively harmless. It does not infect hard disks, or disks with formats other than 360K. (Other variants are less careful, and can overlay FAT and data areas.)

Brain is at once sly and brazen about its work. It is, in fact, the first “stealth” virus, in that a request to view the boot sector of an infected disk, on an infected system will result in a display of the original boot sector. However, the Brain virus is designed not to hide its light under a bushel in another way: the volume label of infected diskettes becomes “(c) Brain” (or “(c) ashar” or “Y.C.1.E.R.P” for different variants). Hence the name of the virus.

Who wrote the Brain virus?

Well, it’s quite simple really. In one of the most common Brain versions you will find text, unencrypted, giving the name, address and telephone number of Brain Computer Services in Pakistan. The virus is copyright by “ashar and ashars”, so we have two brothers running a computer store who have written a virus. Simple, right?

(Oh, the danger of simple answers.)

First of all, Alan Solomon’s analysis and contention that ashar is older than Brain is quite convincing. Also, in the most common version of Brain, the address text does not appear. Further, it would be a very simple matter to have overlaid the text in the ashar or Brain programs with the address text.

What motive would the owners of Brain Computer Services have for the writing of a virus? One story is that they sell pirated software, a practice that is legal in Pakistan, but not in the United States. Therefore, the infected disks were sold to Americans in punishment for their use of pirated software. Unconvincing. The moral attitude seems quite contorted, Brain would have no reason to “punish” the United States (its major source of software) and the Brain infection is not limited to the western world.

Another story is that Brain wrote some software of their own, and were incensed when others pirated their software. Unlikely. Infected disks would be most likely to be sold by Brain Computer Services, and this would tend to mean that a customer would be more likely to get a “clean” copy if it was pirated. (The hypothesis that Brain is some kind of copyright device is absurd: the virus would then be going around “legitimizing” bootleg copies.)

Given that Brain is relatively harmless it is possible that the virus was seen as a form of advertising for the company. Remember that this is the earliest known MS-DOS virus, and that the hardened attitude against viral programs had not yet arisen. Brain predates both Lehigh and Jerusalem, but even some time after those two “destructive” infections viral programs were still seen as possibly neutral or even beneficial. In those early, innocent days, it is not impossible that the author saw a self-reproducing program which “lost”, at most, 3k of disk space as simply a cute gimmick.

I have mentioned Alan Solomon’s analysis of the Brain family with regard to the dating of the ashar variant. Fridrik Skulason performed a similar analysis of the Ohio and Den Zuk versions, and has been proven 100% correct in his conclusions.

The Ohio and Den Zuk variants contain the Brain identification code, and so will not be “infected” or overlaid by Brain. However, Ohio and Den Zuk identify Brain infections, and will replace Brain infections with themselves. Thus, Ohio and Den Zuk may be said to be agents acting against the Brain virus (at the expense, however, of having the Ohio and Den Zuk infections). frisk also found that the Den Zuk version preferentially overlaid Ohio. (This “seeking” activity gives rise to one of Den Zuk’s aliases: “Search”. It was also suspected that “denzuko” might have referred to “the search” for Brain infections. This turned out not to be the case.)

There is text in both strains which indicates a similarity of authorship. Ohio contains an address in Indonesia, both contain a ham radio licence number issued in Indonesia. Both contain the identical bug which overlays FAT and data areas on non-360K format disks. Den Zuk has the more sophisticated touches in programming. From all of this, frisk concluded that Ohio was, in fact, an earlier version of Den Zuk.

So it proved to be, in a message from the author. The author turns out to have been a college student in Indonesia who, to this day, sees nothing wrong with what he did. (On the contrary, he is inordinately proud of it, and is somewhat peeved that his earlier creation is “misnamed” Ohio: he’s never been there. The name of Ohio was given by McAfee in reference to the place of the first identification of the viral program: Ohio State University.) Den Zuko is his nickname, derived from John Travolta’s character in the movie “Grease”.

Full details of Fridrik’s analysis and his contact with the author are available in Fridrik’s article in the Virus Bulletin.

Technically, the Brain family, although old, has a number of interesting points.

Brain itself is the first known MS-DOS virus, aside from those written by Fred Cohen for his thesis. In opposition to his, Brain is a boot sector infector. One wonders, given the fact that the two earliest viral programs (for the Apple II family) were “system” viri [viruses], whether there was not some influence from these earlier, and similar, programs.

Brain is the first example of “stealth” technology. Not, perhaps, as fully armoured as other, later, programs, but impressive nonetheless. The intercepting and redirection of the system interrupts had to be limited in order for the virus to determine, itself, whether or not a target was infected.

The Den Zuk and Ohio variants use the trapping technology which can be used to have a virus survive a warm boot. Although they do not survive, the fact that the <Ctrl><Alt><Del> key sequence is trapped, and that another piece of programming (in this case, the onscreen display) is substituted for the reboot code proves the point. The virus could be made to survive and to “fake” a reboot. (The recovery of the system would likely require a lot of programming and code. This has been pointed out before, and the “recovery mode” of Windows 3.1 probably proves it.)

Den Zuk and Ohio are also “virus hunting viri [CKnow: viruses]”. This possibility has long been discussed, and these examples prove it can be done. They also indicate that it is not a good idea: Den Zuk and Ohio are far more dangerous than Brain ever was.

The Solomon and Skulason analyses are fascinating for tracking the trail of a virus “mutation” through the same, and different, authors. The evolution of programming sophistication, the hesitation to alter the length of text strings, even while they are being replaced, and the retention and addition of bugs form an engrossing pattern to follow.

Robert M. Slade’s history is available here with permission of Robert M. Slade. Please do not further use the material without obtaining your own permission to use it.

Up Arrow Robert Slade Computer Virus History Up Arrow
Prior Page Next Page
Chapter 6 – Lehigh/Jerusalem Chapter 8 – MacMag