%%File: VIRS0133.TXT
%%Name/Aliases: AntiCMOS, AntiCMOS.B, Lenart, Anti CMOS, xibin
%%Platform: PC/MS-DOS
%%Type: Boot sector., 
%%Disk Location: Floppy disk boot sector., Hard disk partition table.
%%Features: Memory resident; TSR above TOM., Uses 2048 bytes above TOM, 
Norman reports 3K above TOM
%%Damage: Corrupts CMOS Configuration
%%Size: Overlays boot sector, no increase
%%See Also: 
%%Notes: CPAV calls it Lenart, F-Prot calls it AntiCMOS.B, Norman calls 
it xibin

AntiCMOS is a primitive floppy disk boot sector and hard disk partition 
sector infector.  It is buggy and causes unintentional hangs as well as 
its intended payload.  If the virus triggers, it destroys the setup 
configuration in the CMOS memory.  This may convince users that their 
hard disk has been wiped, but it is undamaged.  The sytem just doesn't 
know it is there anymore.  Restoring the setup information will bring it 
back.

You shouldn't need an anti-virus to clean this if you have DOS 5 or 6. 
Just clean-boot the computer and use FDISK /MBR to replace the partition 
sector code on the hard disk.

You also need to scan and clean all the floppy disks that have been in 
the machine(s).  

To clean floppies, copy the files off and reformat (with /u parameter to 
prevent unformatting), or use the SYS command (this won't work unless 
there is room for the DOS system files).

F-Prot 2.19 can detect and remove it.  Floppies that have had it removed 
are no  longer bootable (if they were before infection) . The virus does 
not save the old floppy boot sector. It can remove the virus from the 
hard disk partition table without any problems.

chkdsk shows  653,312 bytes of real memory without the virus there is  
655,360 bytes. The virus hides at TOM and moves the TOM down by    2,048 
bytes.

Norman reports that AntiCMOS.B or xibin uses 3K above TOM.  Hangs 
machine repeatedly and makes a zipping sound with a rising tone. The 
virus occupies a single sector on the floppy or hard disk and does not 
move the original sector.