Gentleman Brown

The End column, the Australian Industry Standard
Issue 14, 20 November 2000
by Neale Morison

May I crave your attention for a moment?

I'm mailing everyone in my address book to warn you of a possible problem. I'm afraid you may have a virus. I noticed that my computer was running rather slowly the other day and then some of my applications began to generate errors. Normally I don't run an antivirus program, because they can slow your machine down and generate errors. However when I ran a checker it instantly detected a virus - Gentleman Brown, alias DesperateAnarchist-4287.

The antivirus program was unable to remove the infection, and some of its attempts further disabled my machine. Fortunately I was able to use the Internet at work for further research. Of course before doing so I obtained the full permission of my employer.

It seems Gentleman Brown was detected in the laboratory over a year ago, and was immediately recognised as the most depraved virus ever created. At that time it was thought not to have entered "the wild".

Brown is a memory-resident polymorphic virus, changing signature as it replicates to defeat detection. Ever more sordid and repulsive variants constantly appear.

Gentleman Brown may arrive in a deceitful HTML e-mail containing embedded script that executes without prompting unless Internet Explorer 5 security settings are set high. It abuses a known Internet Explorer 5 exploit to write code in the Windows startup directory that executes on system start. With villainous guile the email persuades you to execute an attached file, allowing it to penetrate systems using other browsers and email clients.

Once permitted entry, Brown abandons any pretence of honour. It changes registry entries to take ownership of the mail client. It sends a message to every entry in the Outlook address book, deleting the message after submission to conceal its machinations.

It replicates itself on Windows 32 bit systems with sinister subterfuge, infecting executables, library files and screen savers. Among its helpless conquests is the Windows KERNEL32.DLL system library, allowing it to take full control of the Windows session including all input and output operations. After seizing the boot sector Gentleman Brown is virtually ineradicable. The virus insidiously infiltrates the memory of hardware devices such as sound and video cards, and in certain cases can infect their boot routines.

A satanically cunning back door server is set up providing remote reboot and read/write access to the file system and configuration. Gentleman Brown drifts stealthily through the backwaters of any connected network searching for unsuspecting victims.

Gentleman Brown activates on the 3rd of December, contemptuously overwriting data in random files on all available drives with downloaded texts including Heart of Darkness, Nostromo, Lord Jim, and The Secret Agent. On any deletion attempt Gentleman Brown takes bitter revenge by erasing the CMOS memory, rendering the system unbootable, and obliterating the Flash BIOS, effectively destroying your machine.

Thereafter the system deteriorates appallingly. The display writhes with malicious exultation. Movements of the mouse are accompanied by gasps of maniacal laughter. At random intervals an ebook reader appears displaying one of the texts. You must page through the entire book to close the reader. When all the texts have been read, the virus gives a phlegmy, gloating shriek and dies.

Damage is projected at 20 billion dollars worldwide. Gentleman Brown has been attributed to The Horror, a breakaway militant extremist arm of the Joseph Conrad Society.

Fortunately there is good news. I was able to track down a program that completely removes Gentleman Brown. Just run the attachment to vet your machine and clean it if necessary. I understand your caution, but I have checked it thoroughly.

I greatly appreciate your assistance in helping to repair the damage. Would it be possible to forward this note and the attachment to everyone in your address book? There is a good chance they may already be infected.

If you don't remember my name, it may be because at some time I have received a forwarded email originating from you, or perhaps we have a mutual acquaintance who sends amusing items to a list that includes us both. I have a regrettable habit of adding all the addresses I receive to my address book.

Please forgive me for the lack of a proper introduction, and for any inconvenience. But I think we're rather alike. I know I can trust you to do the right thing. And honestly, do I sound like a virus?