ANTI (computer virus)

ANTI only infects applicationsGizzing H. Khanaka & William J. Orvis, [http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA394231 Virus Information Update CIAC-2301] {{Webarchive|url=https://web.archive.org/web/20170302114805/http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA394231 |date=2017-03-02 }}, Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59 (as opposed to system files), and therefore can only spread when an infected application is run.David Ferbrache, "Known Apple Macintosh Viruses", [https://www.virusbulletin.com/uploads/pdf/magazine/1989/198907.pdf Virus Bulletin, July 1989, p. 5] When such an application calls the OpenResFile function,McAfee, [https://www.mcafee.com/threat-intelligence/malware/default.aspx?id=99887 MacOS/ANTI] the virus searches the computer for applications that fulfill all of the following criteria:

1. They have CODE (application code segmentApple Computer, Inc., Inside Macintosh, Volume I, Addison Wesley, 1985, p. 107) resources with resource IDs 0 and 1
2. CODE 1 begins with a JSR instruction (generally the Main resource in a given application)
3. The application is not already infected with ANTI
4. The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes

All matching applications are then infected by appending the virus to the CODE 1 resourceJohn C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy, [https://archive.org/details/mac_Dvoraks_Inside_Track_for_the_Mac_1992 Dvorak's Inside Track to the Mac], Osborne McGraw-Hill, 1992, p. 178 and adding a corresponding entry to the application's jump table.

There are three strains of ANTI, with the following differences:

• ANTI-A: 1,344 bytes plus 8 byte jump table entry. The first version to be isolated, in FranceVirex, [https://www.sfsu.edu/ftp/mac/antivirus/vrx60mug.pdf Anti-virus software for Macintosh computers User's Guide], p. 87 in February 1989. Searches for ANTI-B strains and converts them into ANTI-Variant.About.com Virus Encyclopedia, [https://web.archive.org/web/20140712222109/http://antivirus.about.com/library/virusinfo/blanti.htm ANTI]
• ANTI-B: 1,144 bytesVirus-Test-Center, University of Hamburg, [http://agn-www.informatik.uni-hamburg.de/catalog/mac/html/antib.htm ANTI B Virus] plus 8 byte jump table entry. Discovered in FranceEdward Valauskas, [http://www.emeraldinsight.com/doi/pdfplus/10.1108/eb027428 Macintosh Workstations], Library Workstation Report, Vol. 7, Issue 9 in September 1990. Despite the later discovery date, it is believed to be the earliest version of the virus.TidBITS, [http://tidbits.com/article/3756 ANTI-B], 1 October 1990 Also known as ANTI-0.
• ANTI-Variant: Discovered in September 1990.Alan Coopersmith, [http://umich.edu/~archive/mac/util/virus/virex3.xvirusdefs.txt Virex 3.x Virus Definitions] The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.Virus-Test-Center, University of Hamburg, [http://agn-www.informatik.uni-hamburg.de/catalog/mac/html/antivari.htm ANTI Variant Virus]Sydney Morning Herald, [https://www.newspapers.com/newspage/120208136/ Sunday, 31 March 1991, p. 45], Fighting the virus Also known as ANTI-ANGE.

All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk, and if so, reads the first sector (512 bytesApple Computer, Inc., Inside Macintosh, Volume II, Addison Wesley, 1985, p. 211) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.

Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme,[http://ftp.cerias.purdue.edu/pub/tools/mac/mac-virus-list.txt List of known Macintosh viruses] which would detect the reorganisation caused by a standard filesystem copy.

During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory, particularly on older Macintoshes with 64 KiB ROMs.

Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.

The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and laterTidBITS, [http://tidbits.com/article/3734 2.3 and Counting], 29 October 1990), Interferon, Virus Detective, or Virus Rx,Virus-Test-Center, University of Hamburg, [http://agn-www.informatik.uni-hamburg.de/catalog/mac/html/antia.htm ANTI A Virus] while McAfee recommends Virex. However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; only restoring from a virus-free backup is completely effective.

• Extended Copy Protection, a later controversial copy-protection malware

{{reflist}}

• The Virus Encyclopedia, [http://virus.wikidot.com/anti Anti]
• [https://groups.google.com/forum/#!topic/comp.sys.mac/B2tidR_1knw New Macintosh Virus] — Thierry DeLettre's announcement on CompuServe (includes some speculations later found to be incorrect)

Category:Classic Mac OS viruses