ANTI (computer virus)

Last updated
Common nameANTI
AliasesANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant
Classification Virus
Type Macintosh
SubtypeApplication infector, copy protection
Isolation1989-02 (ANTI-A), 1990-09 (ANTI-B)
Point of originFrance
Author(s)Unknown
Operating system(s) affectedSystem 6 and older running Finder
Filesize1,352 bytes (ANTI-A), 1,152 bytes (ANTI-B)

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources. [1] [2]

Contents

The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run. [3] Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder. [1] [4] [5]

Mode of operation

ANTI only infects applications [6] (as opposed to system files), and therefore can only spread when an infected application is run. [7] When such an application calls the OpenResFile function, [8] the virus searches the computer for applications that fulfill all of the following criteria:

  1. They have CODE (application code segment [9] ) resources with resource IDs 0 and 1
  2. CODE 1 begins with a JSR instruction (generally the Main resource in a given application) [10]
  3. The application is not already infected with ANTI
  4. The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes [8]

All matching applications are then infected by appending the virus to the CODE 1 resource [11] and adding a corresponding entry to the application's jump table. [2] [8]

Variants

There are three strains of ANTI, with the following differences:

Payload

All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk, [8] and if so, reads the first sector (512 bytes [20] ) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". [8] If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.

Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme, [10] which would detect the reorganisation caused by a standard filesystem copy.

Side Effects

During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory, [13] particularly on older Macintoshes with 64 KiB ROMs. [3]

Mitigation

Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus. [1]

The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later [21] ), Interferon, Virus Detective, or Virus Rx, [22] while McAfee recommends Virex. [8] However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; [5] only restoring from a virus-free backup is completely effective. [11] [13]

See also

Related Research Articles

HyperCard Hypermedia system for Apple Macintosh and Apple IIGS computers

HyperCard is a software application and development kit for Apple Macintosh and Apple IIGS computers. It is among the first successful hypermedia systems predating the World Wide Web.

Hierarchical File System (HFS) is a proprietary file system developed by Apple Inc. for use in computer systems running Mac OS. Originally designed for use on floppy and hard disks, it can also be found on read-only media such as CD-ROMs. HFS is also referred to as Mac OS Standard, while its successor, HFS Plus, is also called Mac OS Extended.

Apple Lisa Personal computer by Apple Inc.

Lisa is a desktop computer developed by Apple, released on January 19, 1983. It is one of the first personal computers to present a graphical user interface (GUI) in a machine aimed at individual business users. Development of the Lisa began in 1978, and it underwent many changes during the development period before shipping at US$9,995 with a five-megabyte hard drive. The Lisa was challenged by a relatively high price, insufficient software library, unreliable Apple FileWare ("Twiggy") floppy disks, and the immediate release of the cheaper and faster Macintosh, yielding lifelong sales of only 10,000 units in two years.

Macintosh Plus

The Macintosh Plus computer is the third model in the Macintosh line, introduced on January 16, 1986, two years after the original Macintosh and a little more than a year after the Macintosh 512K, with a price tag of US$2599. As an evolutionary improvement over the 512K, it shipped with 1 MB of RAM standard, expandable to 4 MB, and an external SCSI peripheral bus, among smaller improvements. Originally, the computer's case was the same beige color as the original Macintosh, Pantone 453, however in 1987, the case color was changed to the long-lived, warm gray "Platinum" color. It is the earliest Macintosh model able to run System 7.

Antivirus software Computer software to defend against malicious computer viruses

Antivirus software, or anti-virus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

PICT is a graphics file format introduced on the original Apple Macintosh computer as its standard metafile format. It allows the interchange of graphics, and some limited text support, between Mac applications, and was the native graphics format of QuickDraw.

Macintosh 512K

The Macintosh 512K is a personal computer that was designed, manufactured and sold by Apple Computer, inc. from September 1984 to April 1986. It is the first update to the original Macintosh 128K. It was virtually identical to the previous Macintosh, differing primarily in the amount of built-in random-access memory. The increased memory turned the Macintosh into a more business-capable computer and gained the ability to run more software.

The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.

In classic Mac OS System 7 and later, and in macOS, an alias is a small file that represents another object in a local, remote, or removable file system and provides a dynamic link to it; the target object may be moved or renamed, and the alias will still link to it. In Windows, a "shortcut", a file with a .lnk extension, performs a similar function.

MacBinary is a file format that combines the two forks of a classic Mac OS file into a single file, along with HFS's extended metadata. The resulting file is suitable for transmission over FTP, the World Wide Web, and electronic mail. The documents can also be stored on computers that run operating systems with no HFS support, such as Unix or Windows.

Norton AntiVirus Anti-virus software

Norton AntiVirus is an anti-virus or anti-malware software product, developed and distributed by NortonLifeLock since 1991 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Norton Utilities

Norton Utilities is a utility software suite designed to help analyze, configure, optimize and maintain a computer. The current version of Norton Utilities is Norton Utilities 16 for Windows XP/Vista/7/8 was released 26 October 2012.

Disinfectant was a popular antivirus software program for the classic Mac OS. It was originally released as freeware by John Norstad in the spring of 1989. Disinfectant featured a system extension that would detect virus infections and an application with which users could scan for and remove viruses. New versions of Disinfectant were subsequently released to detect additional viruses. Bob LeVitus praised and recommended Disinfectant in 1992. In May 1998, Norstad retired Disinfectant, citing the new danger posed by macro viruses, which Disinfectant did not detect, and the inability of a single individual to maintain a program that caught all of them.

nVIR is an obsolete computer virus which can replicate on Macintosh computers running any System version from 4.1 to OS 8. The source code to the original nVIR has been made widely available, and so numerous variants have arisen. Each variant causes somewhat different symptoms, such as: application crashes, printing errors on laser printers, slow system response time, or unpredictable system crashes. nVIR spreads through any nVIR-infected program, but due to the long period of time nVIR lies basically dormant in a host system, nVIR generally finds its way into system backups and is not detected until the first overt symptoms appear. For example, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. Further, any method used to transfer programs between Macintoshes will spread nVIR, including file transfer over a network. However, nVIR cannot spread via a print network's hardware.

McAfee VirusScan

McAfee VirusScan is an antivirus program created and maintained by McAfee. It is not available as a standalone package, but is included in McAfee LiveSafe, McAfee AntiVirus Plus and McAfee Total Protection. Additionally, BSkyB and McAfee have previously produced a "Sky Broadband" branded version of VirusScan, offered free to Sky Digital customers upon broadband modem installation. McAfee LiveSafe integrates antivirus, firewall and anti-spyware/anti-ransomware capabilities.

Scores was a computer virus affecting Macintosh machines. It was first discovered in Spring 1988. It was written by a disgruntled programmer and specifically attacks two applications that were under development at his former company. These programs were never released to the public.

Kaspersky Anti-Virus

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

Computer virus Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus.

Classic Mac OS

The classic Mac OS is the series of operating systems developed for the Macintosh family of personal computers by Apple Inc. from 1984 to 2001, starting with System 1 and ending with Mac OS 9. The Macintosh operating system is credited with having popularized the graphical user interface concept. It was included with every Macintosh that was sold during the era in which it was developed, and many updates to the system software were done in conjunction with the introduction of new Macintosh systems.

References

  1. 1 2 3 4 Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache, "A Computer Virus Primer", 28 November 1989, p. 36. Computer Science Technical Reports Paper 795
  2. 1 2 Peter J Denning (editor), Computers Under Attack, ACM Press, 1990, p. 350
  3. 1 2 3 4 Bruce Schneier, Protect Your Macintosh , Peachpit Press, 1994, pp. 124-125
  4. David Harley, Viruses and the Macintosh
  5. 1 2 Paul Baccas (editor), OS X Exploits and Defense , Syngress Publishing, 2008, p. 83
  6. Gizzing H. Khanaka & William J. Orvis, Virus Information Update CIAC-2301 Archived 2017-03-02 at the Wayback Machine , Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59
  7. David Ferbrache, "Known Apple Macintosh Viruses", Virus Bulletin, July 1989, p. 5
  8. 1 2 3 4 5 6 7 McAfee, MacOS/ANTI
  9. Apple Computer, Inc., Inside Macintosh, Volume I, Addison Wesley, 1985, p. 107
  10. 1 2 List of known Macintosh viruses
  11. 1 2 John C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy, Dvorak's Inside Track to the Mac , Osborne McGraw-Hill, 1992, p. 178
  12. Virex, Anti-virus software for Macintosh computers User's Guide, p. 87
  13. 1 2 3 About.com Virus Encyclopedia, ANTI
  14. Virus-Test-Center, University of Hamburg, ANTI B Virus
  15. Edward Valauskas, Macintosh Workstations, Library Workstation Report, Vol. 7, Issue 9
  16. TidBITS, ANTI-B, 1 October 1990
  17. Alan Coopersmith, Virex 3.x Virus Definitions
  18. Virus-Test-Center, University of Hamburg, ANTI Variant Virus
  19. Sydney Morning Herald, Sunday, 31 March 1991, p. 45, Fighting the virus
  20. Apple Computer, Inc., Inside Macintosh, Volume II, Addison Wesley, 1985, p. 211
  21. TidBITS, 2.3 and Counting, 29 October 1990
  22. Virus-Test-Center, University of Hamburg, ANTI A Virus
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.