ANTI is a
computer virus affecting
Apple
An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple trees are cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, where its wild ancestor, ' ...
Macintosh
The Mac (known as Macintosh until 1999) is a family of personal computers designed and marketed by Apple Inc. Macs are known for their ease of use and minimalist designs, and are popular among students, creative professionals, and software en ...
computers running
classic Mac OS versions up to
System 6. It was the first Macintosh virus not to create additional
resources
Resource refers to all the materials available in our environment which are technologically accessible, economically feasible and culturally sustainable and help us to satisfy our needs and wants. Resources can broadly be classified upon their av ...
within infected files; instead, it patches existing CODE resources.
[Eugene H. Spafford, Kathleen A. Heaphy and David J. Ferbrache,]
A Computer Virus Primer
, 28 November 1989, p. 36. ''Computer Science Technical Reports'' Paper 795[Peter J Denning (editor), ''Computers Under Attack'', ACM Press, 1990, p. 350]
The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an
antivirus application is run.
[Bruce Schneier, ]
Protect Your Macintosh
', Peachpit Press, 1994, pp. 124-125 Due to a bug in the virus, it cannot spread if
MultiFinder
MultiFinder is an extension for the Apple Macintosh's classic Mac OS, introduced on August 11, 1987 and included with System Software 5. It adds cooperative multitasking of several applications at once – a great improvement over the previou ...
is running, which prevents it from infecting
System 7
System 7, codenamed "Big Bang", and also known as Mac OS 7, is a graphical user interface-based operating system for Macintosh computers and is part of the classic Mac OS series of operating systems. It was introduced on May 13, 1991, by Apple C ...
and later versions of Mac OS as well as System 5 and 6 running MultiFinder.
[David Harley]
Viruses and the Macintosh
/ref>[Paul Baccas (editor), ]
OS X Exploits and Defense
', Syngress Publishing, 2008, p. 83
Mode of operation
ANTI only infects applications[Gizzing H. Khanaka & William J. Orvis]
Virus Information Update CIAC-2301
, Department of Energy Computer Incident Advisory Capability, Lawrence Livermore National Laboratory, 21 May 1998, p. 59 (as opposed to system files), and therefore can only spread when an infected application is run.[David Ferbrache, "Known Apple Macintosh Viruses"]
''Virus Bulletin'', July 1989, p. 5
/ref> When such an application calls the OpenResFile function,[McAfee]
MacOS/ANTI
/ref> the virus searches the computer for applications that fulfill all of the following criteria:
# They have CODE (application code segment[Apple Computer, Inc., ''Inside Macintosh'', Volume I, Addison Wesley, 1985, p. 107]) resources with resource IDs 0 and 1
# CODE 1 begins with a JSR instruction (generally the Main resource in a given application)
# The application is not already infected with ANTI
# The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes
All matching applications are then infected by appending the virus to the CODE 1 resource[John C. Dvorak, Mimi Smith-Dvorak, Bernard J. David, & John A. Murphy, ]
Dvorak's Inside Track to the Mac
', Osborne McGraw-Hill, 1992, p. 178 and adding a corresponding entry to the application's jump table.
Variants
There are three strains of ANTI, with the following differences:
* ANTI-A: 1,344 bytes plus 8 byte jump table entry. The first version to be isolated, in France[Virex]
Anti-virus software for Macintosh computers User's Guide
p. 87 in February 1989. Searches for ANTI-B strains and converts them into ANTI-Variant.[About.com Virus Encyclopedia]
/ref>
* ANTI-B: 1,144 bytes[Virus-Test-Center, University of Hamburg]
/ref> plus 8 byte jump table entry. Discovered in France[Edward Valauskas]
''Macintosh Workstations''
Library Workstation Report, Vol. 7, Issue 9 in September 1990. Despite the later discovery date, it is believed to be the earliest version of the virus.[TidBITS]
ANTI-B
1 October 1990 Also known as ANTI-0.
* ANTI-Variant: Discovered in September 1990.[Alan Coopersmith]
Virex 3.x Virus Definitions
/ref> The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.[Virus-Test-Center, University of Hamburg]
/ref>[Sydney Morning Herald]
Sunday, 31 March 1991, p. 45
''Fighting the virus'' Also known as ANTI-ANGE.
Payload
All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk, and if so, reads the first sector
Sector may refer to:
Places
* Sector, West Virginia, U.S.
Geometry
* Circular sector, the portion of a disc enclosed by two radii and a circular arc
* Hyperbolic sector, a region enclosed by two radii and a hyperbolic arc
* Spherical sector, a p ...
(512 bytes[Apple Computer, Inc., ''Inside Macintosh'', Volume II, Addison Wesley, 1985, p. 211]) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.
Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection
Copy protection, also known as content protection, copy prevention and copy restriction, describes measures to enforce copyright by preventing the reproduction of software, films, music, and other media.
Copy protection is most commonly found o ...
scheme,[List of known Macintosh viruses]
/ref> which would detect the reorganisation caused by a standard filesystem copy.
Side Effects
During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory, particularly on older Macintoshes with 64 KiB ROMs.
Mitigation
Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.
The University of Hamburg
The University of Hamburg (german: link=no, Universität Hamburg, also referred to as UHH) is a public research university in Hamburg, Germany. It was founded on 28 March 1919 by combining the previous General Lecture System ('' Allgemeines Vo ...
's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later[TidBITS]
2.3 and Counting
29 October 1990), Interferon, Virus Detective, or Virus Rx,[Virus-Test-Center, University of Hamburg]
/ref> while McAfee
McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
recommends Virex
McAfee VirusScan is an antivirus software created and maintained by McAfee (formerly known as Intel Security, and Network Associates prior to that). Originally marketed as a standalone product, it has been bundled with McAfee LiveSafe, McAfee An ...
. However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; only restoring from a virus-free backup is completely effective.
See also
* Extended Copy Protection
Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet (which on 20 November 2006, changed its name to Fortium Technologies Ltd) and sold as a copy protection or digital rights management (DRM) schem ...
, a later controversial copy-protection malware
References
{{reflist
External links
* The Virus Encyclopedia
Anti
New Macintosh Virus
— Thierry DeLettre's announcement on CompuServe (includes some speculations later found to be incorrect)
Classic Mac OS viruses