The great virus scare. (computer viruses)(includes related articles and listing of anti-viral software packages)
by Philip Chien, Robert Bixby
Fearsome creatures lurk within the code of benign software. But what are viruses, and how dangerous are they really?
Virus. The mere mention of the word throws computer users into a panic. But most people don't feel there is anything they can do besides panic and hope that a virus never comes their way.
Viruses can damage software or destroy important files. Any computer user who shares information with other computers should be aware of what viruses are and how to avoid becoming infected. Knowledge--not paranoia--is the most important too, in fighting viruses.
A HAIRY ANIMAL What is a computer virus? A virus is a program that attaches itself to another program. The virus replicates itself and spreads to other programs. As programs are shared, the virus spreads geometrically, infecting more and more computers. At some point, the virus activates and performs its damage. This damage can range from a simple prank to erasure of all of the files on the computer's hard drive. In all cases, viruses are programs that were written by an outlaw--a hacker who specifically sets out to damage other people's computers.
Viruses aren't the only things that can destroy your data. Also, be aware of bugs, time bombs, and Trojan Horses.
Bugs, or simple errors in program code, can be intentional or accidental. A bug can be purposely put into a program as a limitation, or it can be something that the programmer overlooked in the original programming. While a bug could conceivably erase all of the data on your computer, it doesn't spread to other programs like a virus. Usually, bugs simply crash the program that's running and do no further damage.
A time bomb is a routine within a program that "explodes" after a given period. Time bombs can be installed on purpose and often are installed with the user's knowledge. . For example, licensed programs that are only permitted to be used for a particular period might contain a time bomb that makes the program erase itself after a given date or a set number of times the program is used. Like bugs, time bombs are usually limited to the programs where they reside--they don't infect other software. But occasionally, a maliciously created time bomb causes damage that is quite extensive.
A Trojan Horse is a disguised program. To all outward appearances, it's an ordinary program, but the program is actually a cover, with the true damage-causing routines hidden underneath, So, when you run the program, you might think you are trying out a shareware disk optimizer. Only after the Trojan Horse has run will you discover that your hard disk has been scrambled.
Stalking the Beast
Viruses are spread when software is transferred from computer to computer. Shareware and illegal, pirated copies of programs have gotten a bad reputation as vectors for viral infection, but it's possible for a commercial, sealed-in-the-box program to have a virus.
Sealed commercial programs are least likely to have viruses, simply because their distribution is more tightly controlled. A commercial program is generated by its author and duplicated by the publisher or subcontracted to a duplication house. Once duplicated, the program is sealed and distributed. It's possible for the dealer to infect the program accidentally if that copy is used for demonstrations. But commercial publishers, as a rule, are extremely cautious about the integrity of their products, especially since the company's reputation could be destroyed if a virus is distributed with its software--to say nothing of the product liability considerations.
Shareware and pirate programs are duplicated, distributed, and duplicated again--often passing through several levels of users. A virus could find its way into a program at any of these stages. With so many distribution levels, it's difficult to track a virus back to its source.
As a general (although by no means absolute) rule, commercial distributors of shareware programs and major online services check all submitted programs for viruses before permitting users to obtain them.
Conceivably, you could receive a virus each time you get a new program, and it's possible your system could already be infected. You can get a virus from a downloaded program via a modem or from a floppy disk. On the other hand, a data file (text, graphics, database) cannot be infected because those files are only accessed when another program reads their data. (The Macintosh operating system is a rare exception--Mac data files can be infected by viruses due to the way the Mac stores data and resource forks.)
As a general rule, a virus only works on a particular type of computer. A Macintosh virus won't do anything to an MS-DOS machine or vice versa. Since viruses are programs, they have to run on that computer's operating system. However, it's possible for another computer to act as a carrier, permitting viruses to be transferred.
The best method of avoiding viruses is through awareness. Understanding how viruses are spread and being aware of viruses each time you obtain a new program are the best ways to prevent a virus from infecting your system. it's still possible for a virus to slip through, however.
There are many good antivirus utilities--programs that specifically look for viruses and warn you when a virus attempts to infect your computer or to activate. Some antivirus programs will even erase a virus if they find one and attempt to restore your program to its original state. Commercial virus protection software ranges in cost from $19 to over $500.
A typical virus protection program runs from your autoexec.bat file and examines your computer's hard drive each time it's booted. Each time a new program is installed on your computer, the new program is checked to ensure that it's clean. As a general rule, viruses are detected by looking for known viruses and monitoring suspicious activity. Suspicious activity can include programs unexpectedly changing their size, routines monitoring the computer's clock (very often, viruses are set to trigger on a predetermined date), or routines trying to format your hard drive. Any of these can conceivably be part of a legitimate program, and antivirus programs vary in their ability to filter out viruses.
Always Check Your Sources
You should be careful where you obtain an antivirus program. If you obtain a shareware program or a copy of an existing program, you should be certain that it doesn't have its own viruses hidden within. There have been programs distributed as virus detectors that are actually Trojan Horses which install viruses.
The earliest viruses were relatively simple routines, and virus detectors could easily disinfect computers, Unfortunately, as antivirus programs became popular, authors wrote more sophisticated viruses that could hide from detectors. Stealth viruses are viruses that are specifically designed to avoid antivirus programs that search for viruses by known patterns.
The latest tools for virus programmers are utilities that create self-mutating viruses. These viruses change themselves each time they duplicate. While self-mutating viruses are more difficult to detect, a sophisticated virus-detector vaccine system can prevent them from harming your system.
The important thing to realize is that the virus-antivirus war will never end. A brand-new antivirus program will only detect the viruses it's been designed to detect and patterns for similar types of viruses--including ones that haven't been written yet. But as virus writers get their hands on antivirus programs, they'll write new viruses specifically designed to outwit and bypass those programs. Fortunately, most antivirus software publishers offer low-cost updates to their packages, and update routines are often available for free from online services and bulletin boards.
It's quite possible for you to accidentally hide a virus from your own antivirus programs. Compressed files use sophisticated routines to save disk and file space, making them especially efficient for modem transfers. Unfortunately, compressed code is more difficult to examine, and most virus detectors cannot detect viruses within compressed files. Once any files are uncompressed, they should be inspected by an antivirus program before you run them.
While you can use the best antivirus programs to protect your own computer, how can you protect data that you transfer to and from other people's computers? Whenever you give files to another user, you should always format the disk and then copy only the needed files to that disk. If the user returns the disk, you should treat it as if it were infected. Any files received from others should be carefully examined before use.
Viruses are a problem, and it's unlikely that they will disappear any time in the near future. But as with human viruses, there are sensible precautions you should take to prevent yourself from getting infected. In other words--always be sure to practice safe computing.
To Kill a Virus
To identify, isolate, and destroy viruses--and then to repair the damage that they do--requires antivirus writers to think like virus writers. It's interesting to see the steps a software company goes through to create an effective virus killer. At PC Expo in New York, I had the opportunity to speak with Fifth Generation Systems about the procedures it went through to make sure Untouchable was safe, secure, and deadly. The key, said Jerusalem-based developer Yuval Rakavy, was to create an antivirus system that would still be undefeatable if a virus writer had every byte of code in the program.
All antivirus products depend first and foremost upon a scanning program that identifies the signature code of existing viruses. This works very well for non-self-mutating viruses that existed at the time the scanner was written, but most scanners are powerless against new viruses (the National Computer Security Association estimates that six new viruses are written every day) and against the new self-mutating viruses that essentially rewrite themselves each time they replicate. In creating Untouchable, Fifth Generation Systems included a scanner as a first line of defense and provided it with the ability to detect self-mutating viruses. The scanner can even detect viruses within archived files.
Many antivirus programs are shipped with a supplemental TSR that runs continuously, watching for certain activities that are typical of viruses, such as system calls to write to the disk. But because the activities they identify are also common activities of normal programs, TSRs set off many false alarms. TSRs are also very vulnerable because they reside in memory, which is even easier to alter than disk files. So Fifth Generation Systems decided not to create a standard TSR but a supplemental scanner that examines the code in every program run and every floppy disk accessed by the computer.
The third leg of Untouchable is its integrity-checking system. On the hard disk and on a separate floppy disk, Untouchable keeps a checksum of all of your programs. By having Untouchable keep a record of these checksums on a separate bootable floppy, Fifth Generation Systems plans to make it impossible for viruses to escape detection, since all executable file infectors must alter program code in order to replicate themselves. The integrity checker examines the whole system each time it's booted up. Every 14 days, the integrity checker checks all executable files against their checksums online. Then every 21 days, the user is required to boot from the floppy containing the offline database, and the integrity checker will then check for stealth viruses. It will identify changed program files, including updated program files.
Finally, Untouchable uses this cheeksum to repair any damage that may have been caused. "It's as safe as restoring from a backup," says Vicky Gore, senior product marketing manager. If Untouchable cannot repair the damage 100 percent, it will refuse to recover the file.
What's next in virus technology? Viruses can be written that piggyback on other viruses and are set to activate only when the original virus is removed its damage is repaired. Untouchable is designed to cope with this situation.
Are there any existing viruses that piggyback on others? "At this point, that's pretty theoretical, but it's a possibility," Ms. Gore says. "That's part of the game--to be able to think about where virus writers are going and to be able to protect users from them."
The State of the Virus
Here, in brief, is the virus story:
There are two general types of computer viruses: boot sector viruses and executable file infectors. Boot sector viruses occupy part or all of your boot disk's boot sector. They are spread primarily by booting your computer with a floppy in the drive and the drive door closed. If the floppy in the drive is infected, attempting to boot your computer from the infected floppy will infect your hard disk partition table, which will in turn infect any subsequent floppy you insert into the drive.
Much more pernicious and hard to guard against are the executable file infector viruses. These viruses attach themselves to program files (like exe and com files) and spread each time the program is run. Often, these programs also install themselves as TSRs and infect every program that is run.
How Widespread Are Viruses?
According to Robert C. Bales, executive director of the National Computer Security Association (10 South Courthouse Avenue, Carlisle, Pennsylvania 17013; 717-258-1816), a survey showed that among North American corporations with more than 200 PCs (for a total installed base of 618,000 PCs), 63 percent had experienced a virus attack. Nine percent characterized the attack as "a disaster," with disaster defined as "20 or more machines affected and out of service for four hours or more." These companies reported average losses of $7,000.
Know Your Symptoms
How can you know if you are infected? Here are the most common viruses (provided by Fifth Generation Systems).
Stoned. Also known as Donald Duck, Hawaii, Marijuana, New Zealand, Sex Revolution, and Stoned II, the Stoned virus is a boot sector virus. Once the computer is infected, Stoned goes to work relocating and overwriting your boot sector and partition table and writing itself to any floppies that you insert. On startup, your computer will display the message Your PC is now Stoned. More of a nuisance than a danger, Stoned can be hazardous primarily to very small hard disks whose FAT can be partially overwritten by Stoned's program code.
Jerusalem. Also known as Friday the 13th, Jerusalem B, PLO, and Russian, the Jerusalem virus is an executable file infector that increases exe file size by about 1800 bytes. The virus loads itself into memory, where it monitors your computer activity and infects your executable files each time they are run. A frequently run file may eventually grow too large to load. The virus causes divide overflow errors and snaillike system performance (within 30 minutes of infection, your computer's speed will drop to one-tenth its normal speed). If this is your first inkling of a problem, count yourself lucky: If the virus goes undetected and uncorrected, the next time the 13th of a month falls on Friday, you'll find yourself with no executable files on your hard disk and with a collection of damaged overlay files.
Disk Killer. Also known as Ogre and Disk Ogre, the Disk Killer virus is a boot sector infector, but its behavior makes Stoned look benign by comparison. Within 48 hours of infection, Disk Killer begins destroying the information on your hard disk. The only preliminary symptoms are a loss of 3K on floppy disks or 8K on hard disks, and cross-linked files. By the time you see the virus's message, Disk Killer ... Warning! Don't turn off the power or remove the diskette while Disk Killer is processing!, it's too late. Disk Killer has begun to work.
Joshi. Also known as Happy Birthday Joshi, Joshi is a boot sector infector and a stealth virus. Joshi overwrites your floppies' boot sectors and your hard disk's boot sector and partition table with its own code. It's a fairly clever virus in that it knows when you are trying to detect it with a scanner, and it will make things look as if nothing is wrong with your boot sector or partition table hence the name stealth. It writes to your 1.2MB floppies as if they were 360K floppies. The information it writes remain accessible until you remove Joshi. Then that information will be accessible if you change the 1.2MB media descriptor byte to make the disk look like a 360K disk. On January 5, Joshi will display the message type Happy Birthday Joshi! and lock up your computer until you do so.
Cascade. Also known as 1701, 1704, Fall, or Falling Letters, Cascade is one of the more famous executable file infector viruses. It infects com files, increasing their size by about 1700 bytes. It loads itself as a TSR and infects any com files you run. It causes characters to cascade down a VGA or CGA screen.
Dark Avenger. Also known as 1989, Bulgaria, or Sophia, the Dark Avenger executable file infector virus is as scary as its name. It attaches itself to com, exe, and overlay files, adding about 1800 bytes to their size. It loads itself as a TSR and reads its infection almost every time you access your disk. Every sixteenth time Dark Avenger runs, it overwrites, a sector at random (which can cause cross-linking and damage to your FAT). On a large hard disk, the virus can run rampant for some time before it's detected. By then, large areas of your hard disk will be filled with worthless data. Infected files might contain ASCII messages such as Eddie lives ... somewhere in time. Diana P. and This program was written in the city of Sophia (C) 1988 -- 1989 Dark Avenger. Sunday. An executable file infector, Sunday attaches itself to com, exe, and overlay files, increasing their size by about 1500 bytes, Each time you run a program, the program is infected. If the virus encounters a system clock setting of
Sunday, it will display this message: Today is Sunday! Why do you work hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun. The virus then deletes any files you run.
Brain. Also known as Pakistani and Pakistani Brain, Brain is a boot sector infector. It moves and overwrites the boot sector of a floppy disk. When the computer is booted from a floppy, the viral code loads as a TSR and begins infecting executive files as they are run. If the floppy disk has no volume label, Brain will give it the label (C)brain. If you examine the boot sector of the infected floppy from an uninfected machine, you will see this message: Welcome to the Dungeon (C) 1986 Basit & Amjad (pvt) Ltd. Brain Computer Service. 730 Nizam Block Allama lqbal Town Lahore-Pakistan. Phone: 43079,442348,28053. Beware of this virus ... contact us for vaccination. Infected floppies may have cross-linked files and bad areas in the FAT. The two copies of the FAT will be different.
Virus Paranoia
One year ago, the name Michelangelo panicked hundreds of thousands of computer owners. With the fires of hysteria fanned by news broadcasts and eager computer salespeople, thousands of antivirus programs were sold. Michelangelo's trigger date came and went with barely a whimper. A couple of computers turned out to be infected, and a few users found out that they had made lucky investments--successfully eliminating viruses, including Michelangelo, before they activated. But for the most part, users wondered what the commotion was all about.
Most of the media reports described the potential damage by viruses in great detail but overstated the danger, implying that any computer could be infected and damaged by this one particular virus. The few stories that informed users that only certain people might be affected were lost in the flood of sensationalist stories.
The fake virus is an offshoot of virus paranoia. A disgruntled employee might purposely erase his or her computer's drives, claiming that a virus destroyed the system. A careful examination of the computer's remaining contents can often determine whether or not there was actually a virus that affected the computer.
A good backup program is just as important as a virus detector, and using both programs should be a regular habit. However, users aren't as conscious of the potential damages from not backing up their computers. While your hard disk is always at risk from a virus attack, it's also at risk for accidental erasure. If your hard drive was erased by a virus, you should be aware that your backup probably also includes the same virus and must be carefully disinfected with an antivirus program to prevent your data from being erased again.
No matter how good a virus detector you have, you still need a good set of backups.
Making the World Unsafe for Viruses
PC/Assure--$269.00 Centel Federal Systems Information Security Division 11400 Commerce Park Dr. Reston, VA 22091-1506 (800) 843-1132 Requirements: IBM PC or
compatible, 640K RAM Anti-Virus--$129.00 PC Tools--$179.00 Central Point Software 15220 NW Greenbrier Pkwy.,
Ste. 200 Beaverton, OR 97006 (503) 690-8090 Requirements: IBM PC or
compatible, hard drive Virex for the PC--$99.95 Datawatch P.O. Box 51489 Durham, NC 27717 (919) 490-1277 (voice) (919) 419-1602 (BBS) Requirements: IBM PC or
compatible, 512K RAM Vaccine--$129.00 VacWindows--$129.00 The Davidsohn Group 20 Exchange PI., 27th Floor New York, NY 10005 (800) 999-6031 Requirements: IBM PC or
compatible, 256K RAM
(Vaccine), 1MB RAM and
Windows (VacWindows) ViruSafe--$99.00 Executive Systems XTree 4115 Broad St., Ste. B1 San Luis Obispo, CA 93401 (805) 541-0604 Requirements: IBM PC or
compatible, 512K RAM Untouchable--$99.00 Fifth Generation Systems P.O, Box 83560 Baton Rouge, LA 70884-3560 (800) 873-4384 (504) 291-7221 Requirements: IBM PC or compatible,
512K RAM, hard drive WATCHDOG Armor--$445.00 WATCHDOG PC Data
Security--$295.00 Fischer International Systems 4073 Mercantile Ave. Naples, FL 33942 (800) 237-4510 Requirements: IBM PC or
compatible, 128K RAM, hard drive VirusCURE PLUS--$99.95 International Microcomputer
Software (IMSI) 1938 Fourth St. San Rafael, CA 94901 (800) 833-4674 Requirements: IBM PC or
compatible, 256K RAM Virus-Pro--$99.95 International Security Technology 515 Madison Ave., Ste. 3200 New York, NY 10022 (212) 557-0900 Requirements: IBM PC or
compatible, 640K RAM Virus Checker--free on BBSs,
$5.00 from Leithauser Research Virus Stopper--$10.00 shareware registration Leithauser Research 4649 Van Kleeck Dr. New Smyrna Beach, FL 32169 (904) 423-0705 Requirements: IBM PC or
compatible Virus Buster--$129.00 Leprechaun Software International P.O. Box 66903 Marietta, GA 30066-0106 (800) 521-8849 (404) 971-8900 Requirements: IBM PC or
compatible, 256K RAM, hard
disk with 700K free Clean-Up--$35.00
shareware registration Sentry--$25.00
shareware registration Viruscan--$25.00
shareware registration Vshield--$25.00
shareware registration McAfee Associates 3350 Scott Blvd., Bldg. 14 Santa Clara, CA 95054-3107 (408) 988-3832 (voice) (408) 988-4004 (BBS) Requirements: IBM PC or
compatible, 320K RAM Dr. Solomon's Anti-Virus Toolkit--$149.95,
$65.00/year for quarterly upgrades Virus Immunization Program--$195.00/for
monthly upgrades Ontrack Computer Systems, 6321 Bury Dr. Eden Prairie, MN 55346 (800) 752-1333 Requirements; IBM PC or
compatible, 512K RAM ViruCide Plus--$49.00 Parsons Technology 1 Parsons Dr. P.O. Box 100 Hiawatha, IA 52233-0100 (800) 223-6925 Requirements: IBM PC or
compatible, 512K RAM, hard
disk with 240K free Virus Prevention Plus--$124,95 PC Guardian 1133 E. Francisco Blvd., Ste. D San Rafael, CA 94901 (800) 288-8126 Requirements: IBM PC or
compatible, 512K RAM Vi-Spy--$149.95 RG Software Systems 6900 E. Camelback Rd., Ste. 630 Scottsdale, AZ 85251 (602) 423-8000 Requirements: IBM PC or
compatible, 128K RAM The Norton Antivirus--$129.00 Symantec 10201 Torre Ave. Cupertino, CA 95014-2132 (800) 441-7234 Requirements: IBM PC or
compatible, 448K RAM AntiVirusPlus--$99.95 TCP Techmar Computer Products 98-11 Queens Blvd., Ste. 2C Rego Park, NY 11374 (800) 922-0015 (718) 997-6666 (718) 520-0170 (fax) Requirements: IBM PC or
compatible, 256K RAM PC-cillin--$139,00 PC Rx (a software-only version of
PC-cillin)--$69.00 Trend Micro Devices 2421 W. 205th St., Ste. D-100 Torrance, CA 90501 (800) 228-5651 Requirements: IBM PC or
compatible, 9K RAM, one 25-pin
parallel port (for PC-cillin)
The State of the Virus
Here, in brief, is the virus story:
There are two general types of computer viruses: boot sector viruses and executable file infectors. Boot sector viruses occupy part or all of your boot disk's boot sector. They are spread primarily by booting your computer with a floppy in the drive and the drive door closed. If the floppy in the drive is infected, attempting to boot your computer from the infected floppy will infect your hard disk partition table, which will in turn infect any subsequent floppy you insert into the drive.
Much more pernicious and hard to guard against are the executable file infector viruses. These viruses attach themselves to program files (like exe and com files) and spread each time the program is run. Often, these programs also install themselves as TSRs and infect every program that is run.
How Widespread Are Viruses?
According to Robert C. Bales, executive director of the National Computer Security Association (10 South Courthouse Avenue, Carlisle, Pennsylvania 17013; 717-258-1816), a survey showed that among North American corporations with more than 200 PCs (for a total installed base of 618,000 PCs), 63 percent had experienced a virus attack. Nine percent characterized the attack as "a disaster," with disaster defined as "20 or more machines affected and out of service for four hours or more." These companies reported average losses of $7,000.
Know Your Symptoms
How can you know if you are infected? Here are the most common viruses (provided by Fifth Generation Systems).
Stoned. Also known as Donald Duck, Hawaii, Marijuana, New Zealand, Sex Revolution, and Stoned II, the Stoned virus is a boot sector virus. Once the computer is infected, Stoned goes to work relocating and overwriting your boot sector and partition table and writing itself to any floppies that you insert. On startup, your computer will display the message Your PC is now Stoned. More of a nuisance than a danger, Stoned can be hazardous primarily to very small hard disks whose FAT can be partially overwritten by Stoned's program code.
Jerusalem. Also known as Friday the 13th, Jerusalem B, PLO, and Russian, the Jerusalem virus is an executable file infector that increases exe file size by about 1800 bytes. The virus loads itself into memory, where it monitors your computer activity and infects your executable files each time they are run. A frequently run file may eventually grow too large to load. The virus causes divide overflow errors and snaillike system performance (within 30 minutes of infection, your computer's speed will drop to one-tenth its normal speed). If this is your first inkling of a problem, count yourself lucky: If the virus goes undetected and uncorrected, the next time the 13th of a month falls on Friday, you'll find yourself with no executable files on your hard disk and with a collection of damaged overlay files.
Disk Killer. Also known as Ogre and Disk Ogre, the Disk Killer virus is a boot sector infector, but its behavior makes Stoned look benign by comparison. Within 48 hours of infection, Disk Killer begins destroying the information on your hard disk. The only preliminary symptoms are a loss of 3K on floppy disks or 8K on hard disks, and cross-linked files. By the time you see the virus's message, Disk Killer ... Warning! Don't turn off the power or remove the diskette while Disk Killer is processing!, it's too late. Disk Killer has begun to work.
Joshi. Also known as Happy Birthday Joshi, Joshi is a boot sector infector and a stealth virus. Joshi overwrites your floppies' boot sectors and your hard disk's boot sector and partition table with its own code. It's a fairly clever virus in that it knows when you are trying to detect it with a scanner, and it will make things look as if nothing is wrong with your boot sector or partition table hence the name stealth. It writes to your 1.2MB floppies as if they were 360K floppies. The information it writes remain accessible until you remove Joshi. Then that information will be accessible if you change the 1.2MB media descriptor byte to make the disk look like a 360K disk. On January 5, Joshi will display the message type Happy Birthday Joshi! and lock up your computer until you do so.
Cascade. Also known as 1701, 1704, Fall, or Falling Letters, Cascade is one of the more famous executable file infector viruses. It infects com files, increasing their size by about 1700 bytes. It loads itself as a TSR and infects any com files you run. It causes characters to cascade down a VGA or CGA screen.
Dark Avenger. Also known as 1989, Bulgaria, or Sophia, the Dark Avenger executable file infector virus is as scary as its name. It attaches itself to com, exe, and overlay files, adding about 1800 bytes to their size. It loads itself as a TSR and reads its infection almost every time you access your disk. Every sixteenth time Dark Avenger runs, it overwrites, a sector at random (which can cause cross-linking and damage to your FAT). On a large hard disk, the virus can run rampant for some time before it's detected. By then, large areas of your hard disk will be filled with worthless data. Infected files might contain ASCII messages such as Eddie lives ... somewhere in time. Diana P. and This program was written in the city of Sophia (C) 1988 -- 1989 Dark Avenger. Sunday. An executable file infector, Sunday attaches itself to com, exe, and overlay files, increasing their size by about 1500 bytes, Each time you run a program, the program is infected. If the virus encounters a system clock setting of
Sunday, it will display this message: Today is Sunday! Why do you work hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun. The virus then deletes any files you run.
Brain. Also known as Pakistani and Pakistani Brain, Brain is a boot sector infector. It moves and overwrites the boot sector of a floppy disk. When the computer is booted from a floppy, the viral code loads as a TSR and begins infecting executive files as they are run. If the floppy disk has no volume label, Brain will give it the label (C)brain. If you examine the boot sector of the infected floppy from an uninfected machine, you will see this message: Welcome to the Dungeon (C) 1986 Basit & Amjad (pvt) Ltd. Brain Computer Service. 730 Nizam Block Allama lqbal Town Lahore-Pakistan. Phone: 43079,442348,28053. Beware of this virus ... contact us for vaccination. Infected floppies may have cross-linked files and bad areas in the FAT. The two copies of the FAT will be different.