CCEYEOYT@NUSVM.BITNET (Y T Yeo) (06/16/89)
Hello! I'm new to this list. I wonder if any of you could send me info on (c)Brain, Ping-pong virus and a virus which adds 1701 bytes to .com files (call 1701 virus?). Info such as how diskettes/harddisk get infected, what these viruses do and the procedures/vaccines to remove the viruses would be of great help to me. You can send the info direct to me at CCEYEOYT@NUSVM. BITNET.Thanks in advance for all your help. Y T Yeo
rtc@bally.Bally.COM (Reynolds Cafferata) (06/21/89)
(C)Brain infected many disks at the George Washington University. It is a product of some guy in Pakistan. The only saving grace to this virus is that it changes the volume name, as you must have noticed when it infects a disk. The virus replaces command.com with a new version that is stored in some bad sectors on the disk. THe new command.com has two nasty functions. First, when ever the disk is accessed, it checks to see if the disk being accessed is infected. If it isn't then it infects that disk. Second, it will periodically add more bad sectors to disks. The virus can only be loaded by booting the computer with an infected disk. It becomes a big problem in environments were people sit down and use already booted machines. A printer pc was the main distributor of the virus at GWU. The version we faced did not seem to affect hard disks. The simplest cure we found was to boot a system with a disk that we were positive was not infected, and then read the first sector off of that disk with a block & track editor. Finally, write the good 1st sector onto the infected disk. Be sure to write a booting sector to boot disks and non-booting to non-booting disks. As for the bad sectors containing the command.com substitute, they are harmless without the companion boot sector and are best just left alone. This virus cost many of my friends a lot of data--we would love to meet the guy who wrote it in some dark alley. In any event, I hope this posting is helpful. Reyonlds Cafferata
CHESS@YKTVMV.BITNET (David M. Chess) (06/28/89)
> The virus replaces command.com with a new version that > is stored in some bad sectors on the disk. Hm. The "Brain" virus that I've seen changes the boot sectors of floppy disks, not COMMAND.COM. Are you sure about that? DC
dinda@cat51.cs.wisc.edu (Peter Dinda) (07/03/89)
(c)Brain also seems to randomly mark sectors bad - whether there is anything in them or not. At UW-Madison's Academic Computing Center (MACC), we've also noticed that a new version of the virus is making its way into our labs - one that does not leave the (c)Brain warning and thus, can not be detected by our NOBRAIN program. Has anyone seen a detector that works by finding 'unique' code in the boot record? Peter A. Dinda (also dinda@WIRCS3.macc.wisc.edu)
ugcantie@cs.Buffalo.EDU (Bruce Cantie) (07/03/89)
We have had the same (c) Brain running around UB for some time now, but have managed to kill it off. We Have the source code (written in C) for NOBRAIN, which will remove the bad sectors, and volume. We had picked up the cure from another University, and put it in all of our micro sites. Bruce Cantie --- ugcantie@sybil.cc.buffalo.edu
MIROWSKI@FRECP12.BITNET (07/05/89)
Responding to a "Request for info on viruses (PC)", Reynolds Cafferata says
"be sure to write a booting sector to boot disks and non-booting to non-
booting disks".
There is no need to care about this because all boot sectors are identical
for a given DOS version. FORMAT A:/S and FORMAT A: produce the same boot
sector. So you can write the same boot sector to all disks. You should only
verify that what you write to the disk is really a DOS sector and not a
sector produced by PCFormat or other software. Depending on whether you ask
for a booting or a non-booting disk, PCFormat will copy the DOS boot sector
or a sector of his own (that only displays a message without trying to search
for DOS files further on the disk) when you format one.
It's rarely necessary to care about the distinction between 360 Ko and
1.2 Mo disks, because the information about the format is in the second
sector of the disk (the first FAT sector) and DOS will take this second
information in consideration. You will probably prefer to copy a 360 Ko
boot sector to a 360 Ko disk and a 1.2 Mo boot sector to a 1.2 disk.
The manipulation is very simple. You need only DEBUG :
You start DEBUG
C:+> DEBUG
You put a non-infected, FORMAT formatted disk in A:, close the door and type
-l 0 0 0 1
You replace it by the disk you want to desinfect and type
-w 0 0 0 1
That's all | You can repeat the last line for all the disks you need.
When you replace the boot sector on a booting disk, you should do it with
a boot sector from the same DOS version. On a DOS disk you can also replace
the boot sector doing SYS on it. It doesn't work on non-bootable disks.
Adam MIROWSKIgwang@apple.com (George Wang) (07/21/89)
In article <0003.y8907031857.AA11952@ge.sei.cmu.edu> you write: > We have had the same (c) Brain running around UB for some time now, >but have managed to kill it off. We Have the source code (written in C) for >NOBRAIN, which will remove the bad sectors, and volume. We had picked up >the cure from another University, and put it in all of our micro sites. Can you email me the source code to NOBRAIN? I would like to install it on the school's University computers... We've been having trouble with the Brain Virus and would like to stop it.... Thanks George George Wang VLSI Software Engineer National Semiconductor Gwang@berlioz.nsc.com (408) 721-4365 Voice