ANTI is a computer virus affecting

Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple trees are cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, where its wild ancestor, ' ...

Macintosh The Mac (known as Macintosh until 1999) is a family of personal computers designed and marketed by Apple Inc. Macs are known for their ease of use and minimalist designs, and are popular among students, creative professionals, and software en ...

computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional

resources Resource refers to all the materials available in our environment which are technologically accessible, economically feasible and culturally sustainable and help us to satisfy our needs and wants. Resources can broadly be classified upon their av ...

within infected files; instead, it patches existing CODE resources.Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache,
A Computer Virus Primer
, 28 November 1989, p. 36. ''Computer Science Technical Reports'' Paper 795Peter J Denning (editor), ''Computers Under Attack'', ACM Press, 1990, p. 350 The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run.Bruce Schneier,
Protect Your Macintosh
', Peachpit Press, 1994, pp. 124-125 Due to a bug in the virus, it cannot spread if

MultiFinder MultiFinder is an extension for the Apple Macintosh's classic Mac OS, introduced on August 11, 1987 and included with System Software 5. It adds cooperative multitasking of several applications at once – a great improvement over the previou ...

is running, which prevents it from infecting

System 7 System 7, codenamed "Big Bang", and also known as Mac OS 7, is a graphical user interface-based operating system for Macintosh computers and is part of the classic Mac OS series of operating systems. It was introduced on May 13, 1991, by Apple C ...

and later versions of Mac OS as well as System 5 and 6 running MultiFinder.David Harley
Viruses and the Macintosh
/ref>Paul Baccas (editor),
OS X Exploits and Defense
', Syngress Publishing, 2008, p. 83

Mode of operation

ANTI only infects applicationsGizzing H. Khanaka & William J. Orvis
Virus Information Update CIAC-2301
, Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59 (as opposed to system files), and therefore can only spread when an infected application is run.David Ferbrache, "Known Apple Macintosh Viruses"
''Virus Bulletin'', July 1989, p. 5
/ref> When such an application calls the OpenResFile function,McAfee
MacOS/ANTI
/ref> the virus searches the computer for applications that fulfill all of the following criteria: # They have CODE (application code segmentApple Computer, Inc., ''Inside Macintosh'', Volume I, Addison Wesley, 1985, p. 107) resources with resource IDs 0 and 1 # CODE 1 begins with a JSR instruction (generally the Main resource in a given application) # The application is not already infected with ANTI # The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes All matching applications are then infected by appending the virus to the CODE 1 resourceJohn C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy,
Dvorak's Inside Track to the Mac
', Osborne McGraw-Hill, 1992, p. 178 and adding a corresponding entry to the application's jump table.

Variants

There are three strains of ANTI, with the following differences: * ANTI-A: 1,344 bytes plus 8 byte jump table entry. The first version to be isolated, in FranceVirex
Anti-virus software for Macintosh computers User's Guide
p. 87 in February 1989. Searches for ANTI-B strains and converts them into ANTI-Variant.About.com Virus Encyclopedia

/ref> * ANTI-B: 1,144 bytesVirus-Test-Center, University of Hamburg

/ref> plus 8 byte jump table entry. Discovered in FranceEdward Valauskas
''Macintosh Workstations''
Library Workstation Report, Vol. 7, Issue 9 in September 1990. Despite the later discovery date, it is believed to be the earliest version of the virus.TidBITS
ANTI-B
1 October 1990 Also known as ANTI-0. * ANTI-Variant: Discovered in September 1990.Alan Coopersmith
Virex 3.x Virus Definitions
/ref> The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.Virus-Test-Center, University of Hamburg

/ref>Sydney Morning Herald
Sunday, 31 March 1991, p. 45
''Fighting the virus'' Also known as ANTI-ANGE.

Payload

All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk, and if so, reads the first

sector Sector may refer to: Places * Sector, West Virginia, U.S. Geometry * Circular sector, the portion of a disc enclosed by two radii and a circular arc * Hyperbolic sector, a region enclosed by two radii and a hyperbolic arc * Spherical sector, a p ...

(512 bytesApple Computer, Inc., ''Inside Macintosh'', Volume II, Addison Wesley, 1985, p. 211) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect. Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a

copy protection Copy protection, also known as content protection, copy prevention and copy restriction, describes measures to enforce copyright by preventing the reproduction of software, films, music, and other media. Copy protection is most commonly found o ...

scheme,List of known Macintosh viruses
/ref> which would detect the reorganisation caused by a standard filesystem copy.

Side Effects

During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory, particularly on older Macintoshes with 64 KiB ROMs.

Mitigation

Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus. The

University of Hamburg The University of Hamburg (german: link=no, Universität Hamburg, also referred to as UHH) is a public research university in Hamburg, Germany. It was founded on 28 March 1919 by combining the previous General Lecture System ('' Allgemeines Vo ...

's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and laterTidBITS
2.3 and Counting
29 October 1990), Interferon, Virus Detective, or Virus Rx,Virus-Test-Center, University of Hamburg

/ref> while

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

recommends

Virex McAfee VirusScan is an antivirus software created and maintained by McAfee (formerly known as Intel Security, and Network Associates prior to that). Originally marketed as a standalone product, it has been bundled with McAfee LiveSafe, McAfee An ...

. However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; only restoring from a virus-free backup is completely effective.

References

{{reflist

External links

* The Virus Encyclopedia
Anti

New Macintosh Virus
— Thierry DeLettre's announcement on CompuServe (includes some speculations later found to be incorrect) Classic Mac OS viruses