%%File: VIRS0134.TXT %%Name/Aliases: AntiEXE, Anti EXE, AntiEXE.A, D3, NewBug, CMOS4. %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk partition table. %%Features: Memory resident; TSR., Stealth; actively hides from detection., Identified by a one-kilobyte memory loss during booting. %%Damage: Corrupts hard disk partition table, Corrupts floppy disk boot sector, Possibly contains a destructive payload, Corrupts the image of certain EXE files %%Size: Overlays boot sector, no increase %%See Also: Genb %%Notes: AntiEXE is detected by F-PROT2.10c. Virhunt 4.0c and Scanv 106 call it a Generic Boot virus. The virus hides in the boot sector of a floppy disk and moves the actual boot sector to cyl:0 side:1, sector: 15 On the hard disk, the virus infects the partition table, the actual partition table is on cyl: 0, Side: 0, sector: 13. These are normally unused sectors, so disk data is not compromised by the virus insertion. The virus uses stealth methods to intercept disk accesses for the partition table and replaces them with the actual partition table instead of the virus code. You must boot a system without the virus in memory to see the actual virus code. We don't yet know if there is a destructive payload attached to the virus, but the name AntiEXE is somewhat ominous. Frisk thinks that " it checks if a disk buffer being written to a disk starts with "MZ" (the EXE file marker, and then does something, but I have never disassembled the virus properly, so I'm not 100% sure..." No destructiveness has been observed. An update to the above information which extracted from VB : The payload specifically targets EXE files, it searches for an EXE file that is 200,768 byte long and has 3895 relocation items. If these criteria are met then the image of EXE file header read will be corrupted. The corruption in this case means that the file could not be loaded and any attempt to copy the file leads to the corruption of the EXE file. This method of operation and search shows that this virus is designed to attack a specific application. It has been suggested that the target is a Russian Anti-Virus program, However that has not been confirmed, yet. If we assume that AntiEXE is designed to attack a Russian AntiVirus program, then the unusual way in handling Int 13h and F9h are explained. All read calls have a 3 in 256 chance of activating the virus payload. These probability are based on the least significant word of the BIOS RAM data area maintained by the timer at 0000:046Ch. Removal of the virus must be done under clean sysytem condition ( Re- boot from clean system floppy disk). The command FDISK/MBR can be used for DOS 5.0 or later versions. Otherwise, use a sector editot retrive the original MBS from Trak0, Sector 13, Head 0 and put it back into its correct location at Track0, Sector1, head 0. The SYS command will remove virus from floppy disck. Since, the original boot sector is still somewhere on the floppy disk, it will be better to re-format the disk. Warning: When AntiEXE is active, it infects diskettes in both A and B drives. The virus performs some calculation to chose the new location for the original boot sector. The virus overwrites the original boot sector to that area, and this could lead to the loss of data, file corruption, etc.