MacOS/ANTI

MacOS/ANTI

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Macintosh
  • Protection Added: 2002-12-16

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5400.1158

File Length

1,356 (.a) 1,152 (.b)

Description Added

2002-12-16

Description Modified

2002-12-16

Malware Proliferation

This Apple Macintosh virus can spread and cause damage under System 6. Under System 7 and MultiFinder it can infect one file but cannot spread.

These viruses intercept 'OpenResFile' and 'MountVol' system traps.

If MountVol is called for a disk drive, this virus searches the first sector of track 16 for the string $16+"%%S" at offset 8 from the beginning of the sector (this works only with 400k and 800k floppies). If this string is found, the virus executes the code in that sector via a JSR call. (No such code has been discovered yet).

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

The infection occurs when running an infected application to access memory or use of OpenResFile. Then the virus will append its body to CODE 1 resource and modify the jump table to point to it. These viruses hit all applications having a CODE 0 and 1 resource with size of old CODE 1 plus the virus being less than or equal to 32768 bytes.

If a system already infected with the ANTI-B variant (which appeared in Sep 1990) becomes infected with the ANTI-ANGE strain, they combine to form the ANTI-Variant infection.

The strings "ANTI" and "#000001" can be found in the CODE 1 resource.

ANTI-ANGE/Variant: CODE 1 is increased by 1348 bytes.
ANTI-B: CODE 1 is increased by 1144 bytes.