ANTI is a computer virus affecting AppleMacintosh computers running classic Mac OS versions up to System 6. It is particularly notable for being the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources. The most commonly encountered strains of ANTI have only subtle effects, and thus can exist and spread indefinitely without being noticed until an antivirus application is run. Due to a bug in the virus, it cannot spread if MultiFinder is running, which prevents it from infecting System 7 and later versions of Mac OS as well as System 5 and 6 running MultiFinder.
Mode of operation
ANTI only infects applications, and therefore can only spread when an infected application is run. When such an application calls the OpenResFile function, the virus searches the computer for applications that fulfill all of the following criteria:
They have CODE resources with resource IDs 0 and 1
All matching applications are then infected by appending the virus to the CODE 1 resource and adding a corresponding entry to the application's jump table.
Variants
There are three strains of ANTI, with the following differences:
ANTI-A: 1,344 bytes plus 8 byte jump table entry. The first version to be isolated, in France in February 1989. Searches for ANTI-B strains and converts them into ANTI-Variant.
ANTI-B: 1,144 bytes plus 8 byte jump table entry. Discovered in France in September 1990. Despite the later discovery date, it is believed to be the earliest version of the virus. Also known as ANTI-0.
ANTI-Variant: Discovered in September 1990. The result of ANTI-A finding and modifying an ANTI-B strain. Causes the computer to hang when the infected application is run. Also known as ANTI-ANGE.
Payload
All strains carry a payload related to floppy disk access. When an infected application calls the MountVol function, the virus checks that the disk is actually a floppy disk, and if so, reads the first sector of track 16. Then the virus compares the text at an offset 8 bytes into that sector against the string $16+"%%S". If the text matches, the virus executes the code at offset 0 of the sector via a JSR. No disks containing a matching string are known to exist, so in practice this payload has no effect. Based on this search for an expected string at a specific location on the disk, Danny Schwendener of ETH Zurich hypothesised that ANTI had been intended to form part of a copy protection scheme, which would detect the reorganisation caused by a standard filesystem copy.
Side Effects
During infection, ANTI clears all resource attributes associated with CODE 1, which may cause the infected application to use more memory, particularly on older Macintoshes with 64 KiB ROMs.
Mitigation
Unlike preceding Macintosh viruses, ANTI can not be detected by specific resource names and IDs; a slower string comparison search is required in order to find signatures associated with the virus. The University of Hamburg's Virus Test Center recommends detection with an antivirus application such as Disinfectant, Interferon, Virus Detective, or Virus Rx, while McAfee recommends Virex. However, the loss of resource attributes means that removal of the virus does not restore the original application to its pristine state; only restoring from a virus-free backup is completely effective.