McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

The AntiCMOS.A virus was first listed as "In The Wild" on The WildList in June 1994. Reported by Richard Head - then Jade Corporation - as widespread in Japan, this virus has since grown common throughout the world.

As its payload, AntiCMOS.A attempts to modify CMOS information - such as the date, time, and hard drive type. Due to bugs in the virus, the payload does not activate in most modern computer systems.

AntiCMOS.A infects boot sectors in diskettes and master boot records in hard drives. Upon loading into memory, this virus reduces the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 653,312 bytes available, rather than 655,360. Please note different computers may display different amounts of conventional memory available, depending on configuration.

An infected hard drive has its original master boot record overwritten with virus code. A copy of the original master boot record is moved to an alternate location. The alternate location is based on drive geometry.

Upon booting from an infected diskette, AntiCMOS.A installs itself to the hard drive master boot record. Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, AntiCMOS.A intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the master boot record or not.

The Performance Warning message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. While the author of this document was unable to get the virus to replicate under Windows 95 - in theory - once Windows 95 is in DOS compatibility mode, the virus may once again have the ability to replicate.

Symptoms

Method of Infection

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

The AntiCMOS.A virus was first listed as "In The Wild" on The WildList in June 1994. Reported by Richard Head - then Jade Corporation - as widespread in Japan, this virus has since grown common throughout the world.

As its payload, AntiCMOS.A attempts to modify CMOS information - such as the date, time, and hard drive type. Due to bugs in the virus, the payload does not activate in most modern computer systems.

AntiCMOS.A infects boot sectors in diskettes and master boot records in hard drives. Upon loading into memory, this virus reduces the top of DOS memory by 2K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 653,312 bytes available, rather than 655,360. Please note different computers may display different amounts of conventional memory available, depending on configuration.

An infected hard drive has its original master boot record overwritten with virus code. A copy of the original master boot record is moved to an alternate location. The alternate location is based on drive geometry.

Upon booting from an infected diskette, AntiCMOS.A installs itself to the hard drive master boot record. Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, AntiCMOS.A intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the master boot record or not.

The Performance Warning message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. While the author of this document was unable to get the virus to replicate under Windows 95 - in theory - once Windows 95 is in DOS compatibility mode, the virus may once again have the ability to replicate.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A