ANTHRAX Virus

Alias:
Strain:
detected when:July 1990
where:Netherlands
Classification:Program virus: COM, EXE and partition record (MBR) infector,
Length:1040-1096 Bytes

Preconditions

Operating System(s):MS-DOS
Version/Release:
Computer model(s):IBM-PC, XT, AT and upwards, and compatibles
Caroname:Anthrax

Attributes

Easy identification:The following strings can be found in virus body: "(c) Damage Inc", "1990", "ANTHRAX"

Type of Infection:

Virus infects COM, EXE and partition record (MBR). After execution of virus' code, it immediately infects MBR but does NOT stay resident. A second copy of the virus is stored in the last 3 sectors of the hard disk, thus overwriting any data stored there. After having been started from the MBR, virus becomes memory-resident until it has infected one file. It infects a file in the lowest branch of the current directory. Anthrax does NOT infect the Bootrecord of a floppy or hard disk.

Infection Technique:
Infection Trigger:Execution of infected program.
Storage Media affected:
Interrupts hooked:INT13h, INT 1Ah, INT 20h, INT 21h, INT 24h
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Transient damage: --- Permanent damage: virus overwrites last 3 sec- tors of hard disk (with it's 2nd copy).
Damage Trigger:---
Particularities:Virus V2100 installs ANTHRAX in the MBR, if it finds the second copy of ANTHRAX in last 3 sectors of the hard disk.
Similarities:---

Agents

Countermeasures:F-PROT, SCAN, FindViru
Standard means:It is very important to clean the last 3 sectors of the harddsik.

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Matthias Jaenichen
Documentation by:Andrzej Kadlof, Virus Information Bank (Poland)
Date:14-July-1992
Information Source:Reverse engineering of virus code

(c) 1996 Virus-Test-Center, University of Hamburg