Anti-Tel Virus
Virus Name: Anti-Tel
Aliases: Telecom Boot
V Status: Rare
Discovery: June, 1991
Symptoms: BSC; decrease in total system and available memory; hard disk
overwritten; system slowdown
Origin: Spain
Eff Length: N/A
Type Code: BRtX - Resident Boot Sector & Master Boot Sector Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV,
IBMAV, NAVDX, VAlert, PCScan, ChAV
Removal Instructions: F-Prot, or M-Disk/P on hard disk and
DOS SYS on bootable diskettes
General Comments:
The Anti-Tel virus was submitted in June, 1991. It is from Spain.
Anti-Tel is a memory resident infector of the hard disk master boot
sector (partition table) and diskette boot sectors. It is extremely
destructive when it activates.
When a system is booted from a diskette infected with Anti-Tel,
the virus will install itself memory resident at the top of system
memory, but below the 640K DOS boundary. The DOS CHKDSK program
will indicate that total system and available free memory is 1,024
bytes less than is expected. Interrupt 12's return will also
have been moved.
Once Anti-Tel is memory resident, it will infect the boot sector
of diskettes, as well as the hard disk master boot sector, when a
file is accessed on the disk.
On high density 1.2MB 5.25" diskettes, the original boot sector
will have been relocated to sector 28. The Anti-Tel viral code
will be located at sector 0, and continued in sector 27. Since
sectors 27 and 28 are the last two sectors of the root directory,
files may be lost when this portion of the root directory is
overwritten.
On double density 360K 5.25" diskettes, the original boot sector
will have been relocated to sector 11. The Anti-Tel viral code
will be located at sector 0, and continued in sector 10. Since
sectors 10 and 11 are the last two sectors of the root directory,
files may be lost when this portion of the root directory is
overwritten.
On hard disks, Anti-Tel infects the hard disk master boot sector
located at Side 0, Cylinder 0, Sector 1. The virus is continued
in the sector at Side 0, Cylinder 0, Sector 6. The original
master boot sector will be located at Side 0, Cylinder 0, Sector 7.
Data will only be lost on the hard disk immediately upon infection
if the disk had been initialized or formatted with a program which
placed data in these sectors which are normally not used by DOS.
Anti-Tel is a stealth virus, it actively attempts to prevent
anti-viral programs from being able to detect it if the virus is
memory resident. However, there is a bug in this code, and it is
unsuccessful on diskettes. Anti-Tel does properly hide the master
boot secotr infection, so if the virus is memory resident,
anti-viral utilities will not be able to detect Anti-Tel on the
master boot sector.
This virus is very destructive when it activates after 400 system
boots. On the 400th system boot, it will display the following
message and overwrite the first two system hard disks with random
data:
"VIRUS ANTITELEFONICA (BARCELONA)"
Known variant(s) of Anti-Pascal II are:
Telecom Boot: Telecom Boot is the master boot sector virus which
occurs with infections of the Telecom virus. Telecom
Boot is very similar to Anti-Tel, with the major
difference being that it does not infect diskette boot
sectors like Anti-Tel. Since this variant of Anti-
Tel always occurs with Telecom file infections, it is
suggested that the system be powered off and rebooted
with a clean write-protected system disk and checked
for the Telecom virus.
See: Telecom