Alias: | |
Strain: | |
detected when: | July 1990 |
where: | Netherlands |
Classification: | Program virus: COM, EXE and partition record (MBR) infector, |
Length: | 1040-1096 Bytes |
Preconditions | |
Operating System(s): | MS-DOS |
Version/Release: | |
Computer model(s): | IBM-PC, XT, AT and upwards, and compatibles |
Caroname: | Anthrax |
Attributes | |
Easy identification: | The following strings can be found in virus body: "(c) Damage Inc", "1990", "ANTHRAX" |
Type of Infection: | Virus infects COM, EXE and partition record (MBR). After execution of virus' code, it immediately infects MBR but does NOT stay resident. A second copy of the virus is stored in the last 3 sectors of the hard disk, thus overwriting any data stored there. After having been started from the MBR, virus becomes memory-resident until it has infected one file. It infects a file in the lowest branch of the current directory. Anthrax does NOT infect the Bootrecord of a floppy or hard disk. |
Infection Technique: | |
Infection Trigger: | Execution of infected program. |
Storage Media affected: | |
Interrupts hooked: | INT13h, INT 1Ah, INT 20h, INT 21h, INT 24h |
Stealth: | |
Tunneling/Selfprot: | |
Oligo/Polymorphism: | |
Encoding Method: | |
Damage: | Transient damage: --- Permanent damage: virus overwrites last 3 sec- tors of hard disk (with it's 2nd copy). |
Damage Trigger: | --- |
Particularities: | Virus V2100 installs ANTHRAX in the MBR, if it finds the second copy of ANTHRAX in last 3 sectors of the hard disk. |
Similarities: | --- |
Agents | |
Countermeasures: | F-PROT, SCAN, FindViru |
Standard means: | It is very important to clean the last 3 sectors of the harddsik. |
Acknowledgements | |
Location: | Virus Test Center, University Hamburg, Germany |
Classification by: | Matthias Jaenichen |
Documentation by: | Andrzej Kadlof, Virus Information Bank (Poland) |
Date: | 14-July-1992 |
Information Source: | Reverse engineering of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg