davidf@CS.HW.AC.UK (David.J.Ferbrache) (07/27/89)
Message forwarded for the BCVRC,
I have now had an opportunity to examine the version of Brain which Alan
Solomon refers to as 'Ashar'.
The differences are not sufficient to warrant a new name, and the further
confusion (in an already confused field) that this would create. This IS
Brain, but a version which creates a different label on a disk.
Description of differences.
The assumption is made in this description that the version which produces
a label of ' (c) ashar ' is the changed version. This assumption has been
made purely to aid description, although I hope to show that this is the
more valid conclusion.
The actual differences within the code are:
1. In three different places the code to initialise the disk
sub-system is done before attempting to read or write instead of
after an error has occurred.
2. The code to divert a read of the boot sector to the stored copy
is no longer present.
3. The very complex routine to create the volume label is no longer
present, and a much simpler routine is in its place which creates
the label ' (c) ashar '.
4. The search of directory entry starts with the first entry and
includes all of them, instead of starting with the third and not
including the last two.
5. The search for free clusters starts with cluster 2 (the first)
instead of with cluster 55.
There are other differences, but these are trivial (e.g. a switch no longer
exists).
Other differences are in embedded but unreferenced text strings:
1. The primary text string on the boot sector is different in two
places, although we already have other variations for one of
these. This text string in the closest previous version read:
DB 'Welcome to the Dungeon (c) 1986 D.C.L', 17H, '&'
DB ' Amjads (pvt) Ltd VIRUS_SHOE RECORD v9.0 '
DB 'Dedicated to the dynamic memories of millions of'
DB ' virus who are no longer with us today - Thanks '
DB 'GOODNESS!! BEWARE OF THE er..VIRUS : \thi'
DB 's program is catching program follows after'
DB ' these messeges..... $#@%$@!! '
The first two lines of this now read:
DB 'Welcome to the Dungeon (c) 1986 ashar &'
DB ' ashars (pvt) Ltd VIRUS_SHOE RECORD '
2. In two different locations the string:
DB '(c) 1986 Brain & Amjads (pvt) Ltd '
has been changed to:
DB '(c) 1986 ashar & ashars (pvt) Ltd '
The locations are offset 202H and 355H, although the second
offset becomes 305H in the modified version.
3. The string ' (c) Brain $' at offset 4A6H has been removed.
Finally there are minor differences in unreferenced area which appear to be
random rubbish (e.g. the area at the end of the first sector).
Interpretation.
It is fruitless to speculate about whether the 'VIRUS_SHOE' version or the
'telephone number' version is the earlier or original one. Even a
confession by the author of the virus would now be suspect. Certainly the
popular story of the origin of this virus has all the hallmarks of a modern
fantasy, and can be discounted as irrelevant.
I shall consider only whether this version is a rewrite of the 'VIRUS_SHOE'
version, or vice versa as suggested by Alan Solomon.
None of the evidence is conclusive, but such indications as there are
clearly suggest that what we have is a new modification.
The changes to the unreferenced strings do not include a change to the
lengths, although one of these is now in a different location. This
suggests that these changes were made separately to the virus via a disk
editor, before the virus was disassembled to make the other changes.
Initialising the disk sub-system before attempting to read or write is the
more orthodox practice. A conventional programmer might well wish to
conform to 'standard', but it is difficult to believe that a programmer
would bother to change this to the alternative method.
If a pseudo company name is to be created, implying two brothers (or other
close family tie), the probable result would be 'ashar & ashar'. The most
feasible explanation for the final 's' is that it was already there, and
therefore easier to leave as 'ashar & ashars'. This is consistent with
this change having been done before disassembly.
Similarly, the spacing in the 'VIRUS_SHOE' version around the sub-string
'v9.0' is too consistent for it to be a later addition - particularly as
there is no apparent reason for the corresponding gap in the 'ashar'
version.
The rest of the changes are tied together. The Brain virus is filled with
misdirection concerning the volume label. The embedded string at offset
4A6H appears to be the label as used. Changing it will not affect the
virus. The next thing a close examination might reveal is the encrypted
' (c) ashar ' immediately before the other string. This is obviously not
the label either. I have seen a number of otherwise competent programmers
foxed by the actual label routine. The label is embedded in code which is
executed, but does very little, before it is used as data. It is my belief
that having been disappointed twice, and having failed to discover the
label, the programmer ripped out everything he (or she) did not understand.
This included the redirection of the read to the boot sector, and the way
that room has been left for the DOS system files in both the FAT and the
directory.
Joe Hirst
British Computer Virus Research Centre
12 Guildford Street Brighton
East Sussex BN1 3LS England
Telephone: Domestic 0273-26105
International +44-273-26105