McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• NewBug, D3

Characteristics

The AntiEXE.A virus was first listed as "In The Wild" on The WildList in December 1993. Since that time, like all boot viruses, this virus has become increasingly rare.

Upon booting from an infected diskette, AntiEXE.A installs itself to memory and to the hard drive master boot record.

As its payload, AntiEXE.A targets and attempts to cause corruptions in a specific EXE file. Note the .EXE file AntiEXE.A attempts to corrupt has never been located.

While in memory, AntiEXE.A has read-stealth characteristics. If the user were to attempt to view the master boot record, the master boot record would not really be what the user is shown. Instead, the virus reads the location where a copy of the original uninfected master boot record resides and then displays the copy. AntiEXE.A saves the copy of the uninfected master boot record to physical location cylinder 0, sector 0, side 13. The virus is able to stealth itself both in DOS and under Windows 95 - regardless of DOS compatibility mode (see notes on DOS compatibility mode below).

AntiEXE.A infects boot sectors in diskettes and master boot records in hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 1K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 654,336 bytes available, rather than 655,360. Please note different computers may display different amounts of conventional memory available, depending on configuration.

Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, AntiEXE.A intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the master boot record or not.

The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of AntiEXE.A, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

Symptoms

Total system memory decreases by 1,024 bytes. AntiEXE also targets and corrupts .EXE files of 200,256 bytes in length. This is the length of a Russian Anti-Virus program, so the virus may have been targeted against it.

Method of Infection

The most common way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants

• Antiexe.c
• Antiexe.d

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• NewBug, D3

Characteristics

Characteristics -

The AntiEXE.A virus was first listed as "In The Wild" on The WildList in December 1993. Since that time, like all boot viruses, this virus has become increasingly rare.

Upon booting from an infected diskette, AntiEXE.A installs itself to memory and to the hard drive master boot record.

As its payload, AntiEXE.A targets and attempts to cause corruptions in a specific EXE file. Note the .EXE file AntiEXE.A attempts to corrupt has never been located.

While in memory, AntiEXE.A has read-stealth characteristics. If the user were to attempt to view the master boot record, the master boot record would not really be what the user is shown. Instead, the virus reads the location where a copy of the original uninfected master boot record resides and then displays the copy. AntiEXE.A saves the copy of the uninfected master boot record to physical location cylinder 0, sector 0, side 13. The virus is able to stealth itself both in DOS and under Windows 95 - regardless of DOS compatibility mode (see notes on DOS compatibility mode below).

AntiEXE.A infects boot sectors in diskettes and master boot records in hard drives. Upon loading into memory, this virus will reduce the top of DOS memory by 1K. As an example, on v6.20 DOS-based computer, [where there is originally 640K conventional memory available], the memory reduction will result in showing 654,336 bytes available, rather than 655,360. Please note different computers may display different amounts of conventional memory available, depending on configuration.

Upon booting an infected computer where DOS is the operating system, the virus loads and stays resident in memory. Like most memory-resident boot viruses running under DOS, AntiEXE.A intercepts calls to Int13h, redirecting the call to its own code. When the virus is in memory - when it is able to intercept calls to Int13h - virtually any diskette access will result in its infection.

Upon booting an infected computer where Windows 95 is the operating system, the virus will load itself into memory. However, because Windows 95 uses a specialized 32-bit filesystem driver, the virus is unable to replicate to other diskettes - even under a Windows DOS box. The short reason for this is due to Windows 95s' specialized 32-bit disk driver. Once Windows 95 completes startup (more accurately, once VMM32.SYS loads), calls to Int13h are not made in the same fashion as DOS thus, while the virus still resides on the hard drive's master boot record, the virus is unable to replicate.

The following points should be noted:

1) Post-infection of a Windows 95 system, upon restarting Windows 95, the user may see the following Performance Warning:

The message indicates a change to the Int13h address - at least the Int13h address that was last being pointed to, as recorded by Windows 95. The message would appear when there is a change to the Int13h address, regardless of whether there was truly a physical change to the master boot record or not.

The message can be indicative of a virus, however there are other valid reasons why it might appear (disk compression software, disk encryption software, etc). The performance warning message box will appear only once. Upon the next system restart the system, the message will not appear. If you see the message, and did not expect to, it is best to investigate the reason behind it immediately.

2) While this specific variant does not have a [working] dangerous payload, other boot viruses might (for example, Michelangelo). As noted above, while Windows 95 effectively stops the virus from replicating, upon boot, the virus is still able to load. Viruses with payloads that are programmed to activate at the time of boot will in fact activate (for example, Michelangelo) regardless of the operating system installed to the hard drive. Before the operating system ever loads, the virus has the potential to cause damage. If you suspect a boot virus, do not rely on Windows 32-bit filesystem drivers to stop the payload from activating.

3) The Windows 95 32-bit disk driver can be disabled. In doing so, the system is placed in "DOS compatibility mode". Once in DOS compatibility mode, there are calls to Int13h. This means - in theory - the virus may once again have the ability to replicate. In the case of AntiEXE.A, the virus in fact will replicate in DOS compatibility mode (but only if Window 95 is in compatibility mode).

Symptoms

Symptoms -

Total system memory decreases by 1,024 bytes. AntiEXE also targets and corrupts .EXE files of 200,256 bytes in length. This is the length of a Russian Anti-Virus program, so the virus may have been targeted against it.

Method of Infection

Method of Infection -

The most common way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal -

Removal -

Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants

Variants -

• Antiexe.c
• Antiexe.d