ANTI (computer virus) (original) (raw)
From Wikipedia, the free encyclopedia
Macintosh Virus
ANTI | |
---|---|
Alias | ANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant |
Type | Macintosh |
Subtype | Application infector, copy protection |
Classification | Virus |
Isolation date | 1989-02 (ANTI-A), 1990-09 (ANTI-B) |
Origin | France |
Authors | Unknown |
Technical details | |
Platform | System 6 and older running Finder |
Size | 1,352 bytes (ANTI-A), 1,152 bytes (ANTI-B) |
ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.[1][2]
The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run.[3] Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.[1][4][5]
ANTI only infects applications[6] (as opposed to system files), and therefore can only spread when an infected application is run.[7] When such an application calls the OpenResFile function,[8] the virus searches the computer for applications that fulfill all of the following criteria:
- They have CODE (application code segment[9]) resources with resource IDs 0 and 1
- CODE 1 begins with a JSR instruction (generally the Main resource in a given application)[10]
- The application is not already infected with ANTI
- The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes[8]
All matching applications are then infected by appending the virus to the CODE 1 resource[11] and adding a corresponding entry to the application's jump table.[2][8]
There are three strains of ANTI, with the following differences:
- ANTI-A: 1,344 bytes[1] plus 8 byte jump table entry. The first version to be isolated, in France[12] in February 1989.[3][8] Searches for ANTI-B strains and converts them into ANTI-Variant.[13]
- ANTI-B: 1,144 bytes[14] plus 8 byte jump table entry. Discovered in France[15] in September 1990.[3] Despite the later discovery date, it is believed to be the earliest version of the virus.[16] Also known as ANTI-0.
- ANTI-Variant: Discovered in September 1990.[17] The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.[18][19] Also known as ANTI-ANGE.
All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk,[8] and if so, reads the first sector (512 bytes[20]) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S".[8] If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.
Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme,[10] which would detect the reorganisation caused by a standard filesystem copy.
During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory,[13] particularly on older Macintoshes with 64 KiB ROMs.[3]
Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.[1]
The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later[21]), Interferon, Virus Detective, or Virus Rx,[22] while McAfee recommends Virex.[8] However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state;[5] only restoring from a virus-free backup is completely effective.[11][13]
- Extended Copy Protection, a later controversial copy-protection malware
- ^ a b c d Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, "A Computer Virus Primer", 28 November 1989, p. 36. Computer Science Technical Reports Paper 795
- ^ a b Peter J Denning (editor), Computers Under Attack, ACM Press, 1990, p. 350
- ^ a b c d Bruce Schneier, Protect Your Macintosh, Peachpit Press, 1994, pp. 124-125
- ^ David Harley, Viruses and the Macintosh
- ^ a b Paul Baccas (editor), OS X Exploits and Defense, Syngress Publishing, 2008, p. 83
- ^ Gizzing H. Khanaka & William J. Orvis, Virus Information Update CIAC-2301 Archived 2017-03-02 at the Wayback Machine, Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59
- ^ David Ferbrache, "Known Apple Macintosh Viruses", Virus Bulletin, July 1989, p. 5
- ^ a b c d e f g McAfee, MacOS/ANTI
- ^ Apple Computer, Inc., Inside Macintosh, Volume I, Addison Wesley, 1985, p. 107
- ^ a b List of known Macintosh viruses
- ^ a b John C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy, Dvorak's Inside Track to the Mac, Osborne McGraw-Hill, 1992, p. 178
- ^ Virex, Anti-virus software for Macintosh computers User's Guide, p. 87
- ^ a b c About.com Virus Encyclopedia, ANTI
- ^ Virus-Test-Center, University of Hamburg, ANTI B Virus
- ^ Edward Valauskas, Macintosh Workstations, Library Workstation Report, Vol. 7, Issue 9
- ^ TidBITS, ANTI-B, 1 October 1990
- ^ Alan Coopersmith, Virex 3.x Virus Definitions
- ^ Virus-Test-Center, University of Hamburg, ANTI Variant Virus
- ^ Sydney Morning Herald, Sunday, 31 March 1991, p. 45, Fighting the virus
- ^ Apple Computer, Inc., Inside Macintosh, Volume II, Addison Wesley, 1985, p. 211
- ^ TidBITS, 2.3 and Counting, 29 October 1990
- ^ Virus-Test-Center, University of Hamburg, ANTI A Virus
- The Virus Encyclopedia, Anti
- New Macintosh Virus — Thierry DeLettre's announcement on CompuServe (includes some speculations later found to be incorrect)