Suvarna Garge (Editor)

ANTI (computer virus)

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Common name
  
ANTI

Type
  
Macintosh

Classification
  
Virus

Aliases
  
ANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant

Subtype
  
Application infector, copy protection

Isolation
  
1989-02 (ANTI-A), 1990-10 (ANTI-B)

ANTI is an obsolete computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It is particularly notable for being the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.

Contents

The virus carries no effective payload, and thus can exist and spread indefinitely without being noticed until an antivirus application is run. Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.

Mode of operation

When an application infected with ANTI calls the OpenResFile function, the virus searches the computer for applications that fulfill all three of the following criteria:

  1. They have CODE (application code segment) resources with resource IDs 0 and 1
  2. CODE 1 begins with a JSR instruction (generally the Main resource in a given application)
  3. The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes

All matching applications not already infected with ANTI are then infected by appending the virus to the CODE 1 resource and adding a corresponding entry to the application's jump table.

Variants

There are three strains of ANTI, with the following differences:

  • ANTI-A: 1,348 bytes plus 8 byte jump table entry. The first version to be isolated, in France in February 1989. Searches for ANTI-B strains and converts them into ANTI-Variant.
  • ANTI-B: 1,144 bytes plus 8 byte jump table entry. Discovered in France in October 1990. Despite the later discovery date, it is believed to be the earliest version of the virus. Also known as ANTI-0.
  • ANTI-Variant: 1,348 bytes plus 8 byte jump table entry. Discovered in September 1990. The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run. Also known as ANTI-ANGE.

    • Payload

    All strains carry a payload related to floppy disk access, but this has no effect in practice. When an infected application calls the MountVol function, the virus reads the first sector of track 16 (i.e. absolute sector 192) of the disk. This read fails unless the disk is actually a floppy disk. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". If the text matches, the virus executes the contents of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.

    Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme, which would detect the reorganisation caused by a standard filesystem copy.

    Side Effects

    During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory.

    Mitigation

    The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant, Interferon, Virus Detective, or VirusRx, while McAfee recommends Virex. However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; only restoring from a virus-free backup is completely effective.

    References

    ANTI (computer virus) Wikipedia
    (Text) CC BY-SA