%%File: VIRS0193.TXT
%%Name/Aliases: Brasil Virus, Brazil
%%Platform: PC/MS-DOS
%%Type: Boot sector., 
%%Disk Location: Floppy disk boot sector., Hard disk partition table.
%%Features: Memory resident; TSR., Encrypted
%%Damage: Corrupts hard disk partition table, Corrupts floppy disk boot 
sector, Overwrites sectors on the Hard Disk., Overwrites part of the 
directory.
%%Size: Overlays boot sector, no increase, Overlays part of the 
directory
%%See Also: 
%%Notes: The virus occupies three sectors of a disk. The first sector 
used is the boot sector  in diskettes, or the master boot sector in hard 
disks.
The first sector contains the initial activation code.
The second sector contains the virus code that becomes memory resident, 
and that is responsible for propagating the virus. 
In the third sector the virus stores the original boot sector.

In hard disks the virus uses sectors1, 2 and 3 of cylinder zero, head 
zero.
To eliminate this virus, sector 3 (the original master boot) should to 
be copied back into sector 1.

 In 360k diskettes the virus uses DOS sectors 0, 10 and 11 (this means 
sector 1, cyl. 0, track 0 (boot), sec 2 cyl 0 tr. 1 (sector 10 and sect 
3 cyl 0 tr. 1 (sector 11)). Sectors 10 and 11 are the end sectors of the 
root directory, and the virus may overwrite directory  information 
during the infection process. 
To eliminate the virus sector 11 into should be copied back into sector 
0.

The virus handles correctly other diskette types (720k, 1.2M and1.44M), 
hiding his three sector always in the boot sector and in the last two 
directory sectors.

The virus triggers by decrementing a counter once for every hour of 
operation.  After 120 hours of effective use, the virus writes his 
message ("Brasil virus!"), writes random data in the first 50 cylinders 
of the hard disk and the "freezes" the computer. 

F-Prot 2.09D detects it. Scan 106 detects a non-standard boot sector. 
Virhunt 4.0B does not detect it.