| Alias: | Anticmos |
| Strain: | AntiCMOS strain |
| detected when: | |
| where: | |
| Classification: | Master-boot record (HD) infector, DBR (Floppy)- infector, re |
| Length: | 2 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | AntiCMOS.A |
Attributes | |
| Easy identification: | |
Type of Infection: | |
| Infection Technique: | |
| Infection Trigger: | Floppies: (INT 13/AH=02, INT 13/AH=03) and(Last Read/Write more than 28 secs ago)Hard disk: Boot from infected floppy |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | 13/AH=02 13/AH=03 {only floppy disks} |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: Permanent: Corrupts the CMOS-RAM entry for floppy disks and deletesthe entry for installed hard disks (see section COMMENTS!) |
| Damage Trigger: | Transient: Permanent: ([0:046Dh] - [CS:0003] >= 2) and(([0:046Dh] * 256 + [0:046Dh]) < 2)see section COMMENTS! |
| Particularities: | The virus resides at the top of memory, reducing the BIOS memory size at 0000:0413. At bootup with floppy disks the system hangs becausethe virus tries to load the original boot sector whichwas not saved at infection time. The trigger for permanent damage is never TRUE. So thepayload routine will never be executed.AntiCMOS is a poor virus, not ready in programming. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | BSI (GISA) / V2, Hubert Schmitz |
| Documentation by: | BSI (GISA) / V2, Hubert Schmitz |
| Date: | 1995-03-07 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg