Common Name: | ANTI |
Aliases: | ANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant |
Classification: | Virus |
Type: | Macintosh |
Subtype: | Application infector, copy protection |
Isolation Date: | 1989-02 (ANTI-A), 1990-09 (ANTI-B) |
Origin: | France |
Author: | Unknown |
Os: | System 6 and older running Finder |
Filesize: | 1,352 bytes (ANTI-A), 1,152 bytes (ANTI-B) |
ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.[1] [2]
The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run.[3] Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.[4] [5]
ANTI only infects applications[6] (as opposed to system files), and therefore can only spread when an infected application is run.[7] When such an application calls the OpenResFile function,[8] the virus searches the computer for applications that fulfill all of the following criteria:
All matching applications are then infected by appending the virus to the CODE 1 resource[10] and adding a corresponding entry to the application's jump table.
There are three strains of ANTI, with the following differences:
All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk, and if so, reads the first sector (512 bytes[19]) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.
Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme,[20] which would detect the reorganisation caused by a standard filesystem copy.
During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory, particularly on older Macintoshes with 64 KiB ROMs.
Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.
The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later[21]), Interferon, Virus Detective, or Virus Rx,[22] while McAfee recommends Virex. However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; only restoring from a virus-free backup is completely effective.