Origin: Merritt College, Oakland, CA, spring 1988

Host: IBM PCs and Compatibles

Class: Boot Infector

Description:
• Replaces original boot sector with itself
• Stores original boot sector on first free sector
• Infects through software reboot sequence
• Does not flag original boot sector as unusable

How Spread:
• Booting from a disk of unknown origin
• Inserting a clean boot disk into an infected system

Symptoms:
• Slow boot sequence
• System crashes
• Lost data

Potential Damage: Loss of data on disk

Precautions:
• Boot only from one write-protected floppy
• Do not boot hard-disk systems from a floppy
• Do not insert bootable disks into another system

Recovery:
• Power down the system
• Boot from a write-protected original master disk
• Execute the DOS SYS command to replace boot sectors on disks

NOTE: Does not protect the original boot sector after infection. By accident, the original instructions may be overwritten, and boot failure then occurs.

Origin: Hebrew University, Jerusalem, December 1987

Host: IBM PCs and Compatibles

Class: Generic Application Infector

Description:
• Infects any .COM or .EXE program
• Increases program’s size by about 1.8K bytes
• Infected programs are modified to become memory-resident
• Programs are infected when executed in infected systems
• Floppy or hard disks can become infected

How Spread:
• Transfer of infected programs to floppies
• Inserting floppies into infected computers

Symptoms:
• General slowdown of the system
• Programs disappear on Friday the 13th
• .EXE files continue to get larger until too large to execute
• Available system memory decreases

Potential Damage:
• Some versions destroy all data on the hard disk
• Stored programs will disappear

Precautions:
• Do not execute programs from unknown sources
• Do not exchange disks containing executable code
• Monitor memory allocation and program file size

Recovery:
• Power down the system
• Boot from a write-protected original boot disk
• Delete all executable programs on affected disks
• Replace programs using original distribution disks

NOTE: A bug in the original virus caused .EXE files to become infected over and over, which made the .EXE file sizes increase until the programs could no longer fit into memory. This problem has been removed in later versions by unknown hackers.

Origin: Lehigh University, Bethlehem, PA, fall 1987

Host: IBM PCs and Compatibles

Class: System Infector

Description:
• Infects COMMAND.COM file
• Changes file size by approximately 20 bytes
• Changes creation date and time
• Activates after four infections
• Destroys all system data

How Spread:
• Sharing infected disks
• Inserting a clean disk into an infected system

Symptoms:
• Change in size of COMMAND.COM file
• Loss of all system data

Potential Damage: Loss of all data stored on hard disk

Precautions:
• Do not transfer application programs on a system disk
• Do not insert any system disk into another computer
• Monitor COMMAND.COM file for date/size changes

Recovery:
• Power down the system
• Reboot from original write-protected system master disk
• Delete COMMAND.COM from hard disk and all infected floppies
• Restore COMMAND.COM from original master disk

NOTE: Because of very short activation period (four infections), the chances of detection before data destruction are slim.

Origin: Hamburg, West Germany, summer 1987

Host: Macintosh

Class: Generic Application Infector

Description: Appears in many varieties, each with individual activation characteristics. Publication of the source code for this virus is primarily responsible for the wide variations. However, the infection techniques are similar.
• Places nVIR resource in system file; code resource in application
• Once the system is infected, every application executed is also infected

How Spread:
• Sharing of disks
• Inserting clean disk into infected system
• Executing an infected program

Symptoms: Vary greatly, because of the large number of varieties. Some common symptoms are:
• System crashes
• A “beep” when an application is opened
• With Macintalk installed, the message “Don’t Panic” is heard
• Files disappear

Potential Damage:
• Loss of data and programs
• Frequent system crashes

Precautions:
• Do not share disks with others
• Quarantine infected systems

Recovery:
• Backup data files
• Erase infected disks
• Restore programs from original write-protected master copies

NOTE: Particularly virulent and can infect all programs within an infected system in a matter of minutes.

Origin: Lahore, Pakistan, January 1986 (Developed by two brothers as an experiment.)

Host: IBM PCs and Compatibles

Class: Boot Sector Infector

Description:
• Replaces original boot sector with itself
• Moves original boot sector to another location
• Adds seven sectors that contain remainder of virus
• Flags all modified sectors as unusable to protect itself
• Replicates onto all inserted bootable floppies

How Spread:
• Booting from unknown or shared disks
• Infects through any access to an inserted disk, such as listing directories, executing programs, or rebooting.

Symptoms:
• Copyright @BRAIN label displayed on infected disk
• Reboot sequences slowed down
• Excessive floppy disk activity for simple tasks
• Program crashes for some versions of DOS
• Interrupt vectors modified

Potential Damage:
• System crash can cause loss of data
• Spreads quickly to all bootable disks

Precautions:
• Do not boot from unknown floppies
• Boot only from the hard disk, if one exists
• Write-protect all boot disks

Recovery:
• Shut down infected systems
• Reboot from a clean, write-protected original boot disk
• List directories of all disks and look for @BRAIN label
• If @BRAIN label found, destroy the disk, or: o Run DOS SYS command to rewrite boot sector o Recreate volume serial label using any available utility (Will still leave seven bad sectors with dead virus.)

NOTE: Will live through software reboot.

Origin: Electronic Data Systems, Dallas, fall 1987

Host: Macintosh

Class: Generic Application Infector

Description:
• Infects any application
• Increases application size by 7K bytes
• Seeks out new host at 3.5 minute intervals
• Creates invisible SCORES and Desktop files
• Looks for existence of specific file names for destruction

How Spread:
• Exchanging infected disks
• Inserting a clean disk into an infected system

Symptoms:
• Slowdown of system
• Problems with printing
• System crashes
• File size increases
• Notepad and Scrapbook icon modifications

Potential Damage: Lost data due to system crashes

Precautions:
• Do not exchange disks with others
• Do not insert disks containing programs into other systems
• Do not execute programs from unknown sources

Recovery:
• Back up all data files
• Erase the infected disk and all affected disks
• Restore system files and applications from masters
• Restore data files

NOTE: Changes the small MAC icon for Notepad and Scrapbook into generic dog-eared page icons.