Jump to content

ANTI (computer virus)

From Wikipedia, the free encyclopedia
ANTI
AliasANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant
TypeMacintosh
SubtypeApplication infector, copy protection
ClassificationVirus
Isolation date1989-02 (ANTI-A), 1990-09 (ANTI-B)
OriginFrance
AuthorsUnknown
Technical details
PlatformSystem 6 and older running Finder
Size1,352 bytes (ANTI-A), 1,152 bytes (ANTI-B)

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.[1][2]

The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run.[3] Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.[1][4][5]

Mode of operation

[edit]

ANTI only infects applications[6] (as opposed to system files), and therefore can only spread when an infected application is run.[7] When such an application calls the OpenResFile function,[8] the virus searches the computer for applications that fulfill all of the following criteria:

  1. They have CODE (application code segment[9]) resources with resource IDs 0 and 1
  2. CODE 1 begins with a JSR instruction (generally the Main resource in a given application)[10]
  3. The application is not already infected with ANTI
  4. The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes[8]

All matching applications are then infected by appending the virus to the CODE 1 resource[11] and adding a corresponding entry to the application's jump table.[2][8]

Variants

[edit]

There are three strains of ANTI, with the following differences:

  • ANTI-A: 1,344 bytes[1] plus 8 byte jump table entry. The first version to be isolated, in France[12] in February 1989.[3][8] Searches for ANTI-B strains and converts them into ANTI-Variant.[13]
  • ANTI-B: 1,144 bytes[14] plus 8 byte jump table entry. Discovered in France[15] in September 1990.[3] Despite the later discovery date, it is believed to be the earliest version of the virus.[16] Also known as ANTI-0.
  • ANTI-Variant: Discovered in September 1990.[17] The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.[18][19] Also known as ANTI-ANGE.

Payload

[edit]

All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk,[8] and if so, reads the first sector (512 bytes[20]) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S".[8] If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.

Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme,[10] which would detect the reorganisation caused by a standard filesystem copy.

Side Effects

[edit]

During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory,[13] particularly on older Macintoshes with 64 KiB ROMs.[3]

Mitigation

[edit]

Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.[1]

The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later[21]), Interferon, Virus Detective, or Virus Rx,[22] while McAfee recommends Virex.[8] However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state;[5] only restoring from a virus-free backup is completely effective.[11][13]

See also

[edit]

References

[edit]
  1. ^ a b c d Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, "A Computer Virus Primer", 28 November 1989, p. 36. Computer Science Technical Reports Paper 795
  2. ^ a b Peter J Denning (editor), Computers Under Attack, ACM Press, 1990, p. 350
  3. ^ a b c d Bruce Schneier, Protect Your Macintosh, Peachpit Press, 1994, pp. 124-125
  4. ^ David Harley, Viruses and the Macintosh
  5. ^ a b Paul Baccas (editor), OS X Exploits and Defense, Syngress Publishing, 2008, p. 83
  6. ^ Gizzing H. Khanaka & William J. Orvis, Virus Information Update CIAC-2301 Archived 2017-03-02 at the Wayback Machine, Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59
  7. ^ David Ferbrache, "Known Apple Macintosh Viruses", Virus Bulletin, July 1989, p. 5
  8. ^ a b c d e f g McAfee, MacOS/ANTI
  9. ^ Apple Computer, Inc., Inside Macintosh, Volume I, Addison Wesley, 1985, p. 107
  10. ^ a b List of known Macintosh viruses
  11. ^ a b John C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy, Dvorak's Inside Track to the Mac, Osborne McGraw-Hill, 1992, p. 178
  12. ^ Virex, Anti-virus software for Macintosh computers User's Guide, p. 87
  13. ^ a b c About.com Virus Encyclopedia, ANTI
  14. ^ Virus-Test-Center, University of Hamburg, ANTI B Virus
  15. ^ Edward Valauskas, Macintosh Workstations, Library Workstation Report, Vol. 7, Issue 9
  16. ^ TidBITS, ANTI-B, 1 October 1990
  17. ^ Alan Coopersmith, Virex 3.x Virus Definitions
  18. ^ Virus-Test-Center, University of Hamburg, ANTI Variant Virus
  19. ^ Sydney Morning Herald, Sunday, 31 March 1991, p. 45, Fighting the virus
  20. ^ Apple Computer, Inc., Inside Macintosh, Volume II, Addison Wesley, 1985, p. 211
  21. ^ TidBITS, 2.3 and Counting, 29 October 1990
  22. ^ Virus-Test-Center, University of Hamburg, ANTI A Virus
[edit]
  • The Virus Encyclopedia, Anti
  • New Macintosh Virus — Thierry DeLettre's announcement on CompuServe (includes some speculations later found to be incorrect)