ANTI (computer virus)

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.^[1][2]

ANTI
Alias	ANTI-0, ANTI-A, ANTI-ANGE, ANTI-B, Anti-Variant
Type	Macintosh
Subtype	Application infector, copy protection
Classification	Virus
Isolation date	1989-02 (ANTI-A), 1990-09 (ANTI-B)
Origin	France
Authors	Unknown
Technical details
Platform	System 6 and older running Finder
Size	1,352 bytes (ANTI-A), 1,152 bytes (ANTI-B)

The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run.^[3] Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.^[1][4][5]

Mode of operation

ANTI only infects applications^[6] (as opposed to system files), and therefore can only spread when an infected application is run.^[7] When such an application calls the OpenResFile function,^[8] the virus searches the computer for applications that fulfill all of the following criteria:

1. They have CODE (application code segment^[9]) resources with resource IDs 0 and 1
2. CODE 1 begins with a JSR instruction (generally the Main resource in a given application)^[10]
3. The application is not already infected with ANTI
4. The sum of the size of CODE 1 plus the size of the virus is less than or equal to 32,768 bytes^[8]

All matching applications are then infected by appending the virus to the CODE 1 resource^[11] and adding a corresponding entry to the application's jump table.^[2][8]

Variants

There are three strains of ANTI, with the following differences:

• ANTI-A: 1,344 bytes^[1] plus 8 byte jump table entry. The first version to be isolated, in France^[12] in February 1989.^[3][8] Searches for ANTI-B strains and converts them into ANTI-Variant.^[13]
• ANTI-B: 1,144 bytes^[14] plus 8 byte jump table entry. Discovered in France^[15] in September 1990.^[3] Despite the later discovery date, it is believed to be the earliest version of the virus.^[16] Also known as ANTI-0.
• ANTI-Variant: Discovered in September 1990.^[17] The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run.^[18][19] Also known as ANTI-ANGE.

Payload

All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk,^[8] and if so, reads the first sector (512 bytes^[20]) of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S".^[8] If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect.

Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme,^[10] which would detect the reorganisation caused by a standard filesystem copy.

Side Effects

During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory,^[13] particularly on older Macintoshes with 64 KiB ROMs.^[3]

Mitigation

Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus.^[1]

The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant (version 2.3 and later^[21]), Interferon, Virus Detective, or Virus Rx,^[22] while McAfee recommends Virex.^[8] However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state;^[5] only restoring from a virus-free backup is completely effective.^[11][13]

See also

• Extended Copy Protection, a later controversial copy-protection malware