Table of Contents Categories
  Encyclosphere.org ENCYCLOREADER
  supported by EncyclosphereKSF

ANTI (computer virus)

Topic: Software

 From HandWiki - Reading time: 4 min
Common nameANTI
AliasesANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant
ClassificationVirus
TypeMacintosh
SubtypeApplication infector, copy protection
Isolation1989-02 (ANTI-A), 1990-09 (ANTI-B)
Point of originFrance
Author(s)Unknown
Operating system(s) affectedSystem 6 and older running Finder
Filesize1,352 bytes (ANTI-A), 1,152 bytes (ANTI-B)

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.[1][2]

The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run.[3] Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.[1][4][5]

Mode of operation

ANTI only infects applications[6] (as opposed to system files), and therefore can only spread when an infected application is run.[7] When such an application calls the OpenResFile function,[8] the virus searches the computer for applications that fulfill all of the following criteria:

  1. They have CODE (application code segment[9]) resources with resource IDs 0 and 1
  2. CODE 1 begins with a JSR instruction (generally the Main resource in a given application)[10]
  3. The application is not already infected with ANTI
  4. The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes[8]

All matching applications are then infected by appending the virus to the CODE 1 resource[11] and adding a corresponding entry to the application's jump table.[2][8]

Variants

There are three strains of ANTI, with the following differences:

  • ANTI-A: 1,344 bytes[1] plus 8 byte jump table entry. The first version to be isolated, in France[12] in February 1989.[3][8] Searches for ANTI-B strains and converts them into ANTI-Variant.[13]
  • ANTI-B: 1,144 bytes[14] plus 8 byte jump table entry. Discovered in France[15] in September 1990.[3] Despite the later discovery date, it is believed to be the earliest version of the virus.[16] Also known as ANTI-0.
  • ANTI-Variant: Discovered in September 1990.[17] The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.[18][19] Also known as ANTI-ANGE.

Payload

All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk,[8] and if so, reads the first sector (512 bytes[20]) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S".[8] If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.

Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme,[10] which would detect the reorganisation caused by a standard filesystem copy.

Side Effects

During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory,[13] particularly on older Macintoshes with 64 KiB ROMs.[3]

Mitigation

Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.[1]

The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later[21]), Interferon, Virus Detective, or Virus Rx,[22] while McAfee recommends Virex.[8] However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state;[5] only restoring from a virus-free backup is completely effective.[11][13]

See also

References

  1. 1.0 1.1 1.2 1.3 Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, "A Computer Virus Primer", 28 November 1989, p. 36. Computer Science Technical Reports Paper 795
  2. 2.0 2.1 Peter J Denning (editor), Computers Under Attack, ACM Press, 1990, p. 350
  3. 3.0 3.1 3.2 3.3 Bruce Schneier, Protect Your Macintosh, Peachpit Press, 1994, pp. 124-125
  4. David Harley, Viruses and the Macintosh
  5. 5.0 5.1 Paul Baccas (editor), OS X Exploits and Defense, Syngress Publishing, 2008, p. 83
  6. Gizzing H. Khanaka & William J. Orvis, Virus Information Update CIAC-2301 , Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59
  7. David Ferbrache, "Known Apple Macintosh Viruses", Virus Bulletin, July 1989, p. 5
  8. 8.0 8.1 8.2 8.3 8.4 8.5 8.6 McAfee, MacOS/ANTI
  9. Apple Computer, Inc., Inside Macintosh, Volume I, Addison Wesley, 1985, p. 107
  10. 10.0 10.1 List of known Macintosh viruses
  11. 11.0 11.1 John C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy, Dvorak's Inside Track to the Mac, Osborne McGraw-Hill, 1992, p. 178
  12. Virex, Anti-virus software for Macintosh computers User's Guide, p. 87
  13. 13.0 13.1 13.2 About.com Virus Encyclopedia, ANTI
  14. Virus-Test-Center, University of Hamburg, ANTI B Virus
  15. Edward Valauskas, Macintosh Workstations, Library Workstation Report, Vol. 7, Issue 9
  16. TidBITS, ANTI-B, 1 October 1990
  17. Alan Coopersmith, Virex 3.x Virus Definitions
  18. Virus-Test-Center, University of Hamburg, ANTI Variant Virus
  19. Sydney Morning Herald, Sunday, 31 March 1991, p. 45, Fighting the virus
  20. Apple Computer, Inc., Inside Macintosh, Volume II, Addison Wesley, 1985, p. 211
  21. TidBITS, 2.3 and Counting, 29 October 1990
  22. Virus-Test-Center, University of Hamburg, ANTI A Virus

External links

  • The Virus Encyclopedia, Anti
  • New Macintosh Virus — Thierry DeLettre's announcement on CompuServe (includes some speculations later found to be incorrect)



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:ANTI_(computer_virus)&oldid=359658"
Licensed under CC BY-SA 3.0 | Source: https://handwiki.org/wiki/Software:ANTI_(computer_virus)
20 views | Status: cached on July 24 2024 23:41:25
↧ Download this article as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF