AntiEXE Virus


 Virus Name:  AntiEXE 
 Aliases:     CMOS4, NewBug 
 V Status:    Common 
 Discovery:   January, 1995 
 Symptoms:    BSC; Master boot sector (partition table sector) altered; 
              decrease in total system & available free memory; 
              system will boot from hard disk if attempt made to boot from 
              non-system diskette; hard disk corruption; 
              .EXE file corruption 
 Origin:      Russia 
 Eff Length:  N/A 
 Type Code:   BRhX - Resident Boot Sector & Master Boot Sector Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, 
                    NAV, NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  F-Prot 
 
 General Comments: 
       The AntiEXE virus was received in January, 1995, though it has been 
       reported from sites in North America for several months.  It has 
       been reported as having originated in Russia.  AntiEXE is a memory 
       resident stealth infector of diskette boot sectors as well as the 
       system hard disk master boot sector. 
 
       When the system is first booted from an AntiEXE infected diskette, 
       this virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 1,024 bytes.  Also at this time, the virus will over- 
       write the system hard disk master boot sector with its viral code. 
 
       Once the AntiEXE virus is memory resident, it will infect un-write 
       protected diskettes by infecting the diskette boot sector.  The 
       original boot sector will have been saved in the last sector of the 
       root directory. 
 
       AntiEXE is a full stealth virus.  When memory resident, any attempt 
       to view or access the system hard disk master boot sector or a 
       diskette boot sector will result in the virus displaying the 
       uninfected sector.  As such, anti-viral programs are unable to 
       detect the presence of the virus on diskette when the virus is 
       memory resident.  The virus also prevents its removal from the 
       system when memory resident by blocking attempts to write to the 
       system hard disk master boot sector and diskette boot sectors. 
 
       This virus can be destructive under one circumstance.  If the user 
       presses the key combination  and  while the virus is 
       performing a disk access, the virus will overwrite the eight sectors 
       on each head and track of the drive starting at sector four.  The 
       virus's name comes from its purpose which is to target any .EXE file 
       of 200,256 bytes.  If the virus finds such a file, it will corrupt 
       the file's contents.

Show viruses from discovered during that infect .

Main Page