Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
Not to be confused with Brainy.
TypeBoot Sector Virus
CreatorBasit Farooq Alvi, Amjad Farooq Alvi
DateJanuary 1986
OriginLahore, Pakistan
Programming LanguageAssembly
File TypeMZ executable (.EXE)
Size3,000 to 7,000 bytes
This box: view  talk  edit

Brain was the first full-stealth virus on MS-DOS. It infects 360KB-, 5.25-inch floppy disks. It is sometimes mistakenly referred to as the first virus. In reality, it was simply among the first to infect removable media.

Brain is one of the only viruses in existence that contains the valid names, phone numbers and addresses of the creators. Basit and Amjad Farooq Alvi, of the Chahmiran neighborhood, in Lahore, Pakistan created the virus to infect machines running pirated copies of a program he sold for physicians.

Brain gets its name from the fact that it changes the name of the disk volume label to "(c) brain". Sometimes the copyright symbol or (c) is added before the word Brain, making the name Brain. The creators likely chose the name because the name of their store was "Brain Computer Services". As this virus came before there was even any pretense at coherent virus naming, it can go by a few other names, but few publications or antivirus companies today use any name other than Brain. The other names can include Pakistani Flu, Lahore, Pakistani, Basit Virus and UIUC.


When an infected disk is booted, the Brain virus will run with it. The virus will hook the INT 13h interrupt, used for writing and reading to the disks. The virus installs itself into the memory and takes up memory in the range of 3-7 kilobytes. It does not infect the hard disk, but infects any other floppy disk accessed while it is in memory. The disks can be infected by being accessed in any way. The virus then stores the original boot sector and six extension sectors containing the main body of the virus in the disk's available sectors, which are then flagged as bad (to not be suspicious). Infected disks will have 3 kilobytes or more of bad sectors, as most usually have none or as many as 5 kilobytes of genuinely bad sectors. It renames the disk's volume label with "(c)brain".

The virus has stealth capabilities, because any time infected sectors are accessed, the accessing program will be redirected to the stored original boot sector. This is a result of the INT 13h hooking. An early disk utility such as PC Tools, Norton Utilities or PC Medic would be unable to see the virus.

Brain carries a message that is never displayed, but can be seen with a binary editor in every infected disk:

Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
PHONE :430791,443248,280530.
Beware of this VIRUS....
Contact us for vaccination............  $#@%$@!!

This virus can be deleted by another virus, Denzuko, another boot malware.


Use MDisk, F-Prot, NAV, or DOS SYS command.

The virus does no intentional damage, although it may slow down disk access and cause timeouts, which can make some disks unusable. The first problems with the virus were not reported until about a year later. In 1987, computer users at the University of Delaware reported seeing the (c)Brain label on their disks. 100 machines were infected at the Providence Journal-Bulletin in 1988. One reporter, Froma Joselow, claimed to have lost several months of work contained on a floppy disk (hard to imagine today, but quite possible, given the size of files in 1988).


Probably because Brain was such an early virus, there were few people interested in creating variants of the virus. Still, a few minor variations of the virus do exist. Most of them are simple changes to the text.


This variant can infect the hard drive.


Brain.C, like B can infect the hard drive, but it does not change the volume label.


Similar to Brain.C, but the messages are removed and replaced with non-printable code that looks like random characters in a binary editor.


This is a subvariant of Clone corrupts the File Allocation Table (FAT) if it is booted after 1992.05.05.


This one is similar to Brain.B in most ways, except the message is modified to say

  Welcome to the Dungeon
  © 1986  Brain & Amjads (pvt) Ltd.
  Dedicated to the dynamic memories
  of millions of virus who are no longer with us today -
  Thanks GOODNESS!!
  BEWARE OF THE er..VIRUS :This program is catching
  program follows after these messeges.....  $#@%$@!!

This variant is also known as Ashar, and some sources say that it may actually be older than the original.


There are some disagreements on this virus. There is a version of the Shoe variant that cannot infect hard disks and one in which the v9.0 has been changed to v9.1


In this variant, the message is truncated in one line.


This variant contains the text "(C) Jork & Amjads (pvt) Ltd".


The copyright date on this virus is 1988 as opposed to 1986. The text through to the addresses and phone numbers of the creators is the same. After the phone numbers, it contains some different text:

  Ver (Singapore) Beware of this "virus". It will transfer to a million of Diskettes... $#@%$@!!