| Alias: | AntiCAD-4096, Invader Virus |
| Strain: | Jerusalem Virus Strain, ANTICAD Substrain |
| detected when: | August 1990 |
| where: | Australia |
| Classification: | Program (COM, EXE) & System (Boot, Master Boot) infector; me |
| Length: | 1) Length on media: 4,096 bytes on COM & BOOT; 4,096-4,111 bytes on EXE 2) Length in memory: 5,120 bytes |
Preconditions | |
| Operating System(s): | MS-DOS and compatible OS |
| Version/Release: | MS-DOS 3.0 and upwards |
| Computer model(s): | IBM and compatible PCs |
| Caroname: | Jerusalem.AntiCAD.4096 |
Attributes | |
| Easy identification: | Virus contains text: "NO SYSTEMDISK...PLEASE INSERT..." |
Type of Infection: | Depending on type of victim: COM: Prepending but COMMAND.COM not infected; EXE: Appending but ACAD.EXE not infected; BOOT: any diskette without write protection; Master-BOOT: all HD-Drives. |
| Infection Technique: | |
| Infection Trigger: | Any Load/Execute operation |
| Storage Media affected: | All kinds (disks, any diskette) |
| Interrupts hooked: | 08h (Timer), 09h (Keybord), 13h (Disk), 21h (DOS-Calls), 24h (error handler). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: the virus plays some music (variants may play noise), and system is slowed down. This routine activates Permanent: If CTRL-ALT-DEL is pressed while music is playing or ACAD is loaded, *all in- formation on all disks will be overwritten*. CMOS-entries will be deleted. |
| Damage Trigger: | Transient damage: in original ANTICAD virus, transient damage (playing music, system slow- down) is activated 30 minutes after virus' activation. In ANTICAD variants, activation of transient damage (music/noise) may be de- layed between 7 and 30 days. Permanent damage: one of the following activi- ties will activate permanent damage (over- writing disk media, deleting CMOS entries): P1) pressing CTRL-ALT-DEL when music/noise is played; P2) execution of ACAD; P3) after about 4000 keystrokes. These effects may not be activated every time as activation also depends on several internal triggers. |
| Particularities: | --- |
| Similarities: | Viruses in same (Jerusalem) strain, and esp. those in same (AntiCAD) substrain. |
Agents | |
| Countermeasures: | According to their documentation, many antivirus products claim recognise and eradicate virus. |
| Standard means: | 1) Reboot from clean bootdisk. 2) Delete all infected files. 3) Use SYS-Command to reinstall BOOT sector. 4) Use FDISK /MBR to reinstall Master-BOOT sector (MS-DOS 5.0 only). |
Acknowledgements | |
| Location: | Virus-Test-Center, University Hamburg, Germany |
| Classification by: | Matthias Jaenichen |
| Documentation by: | Matthias Jaenichen |
| Date: | 31-January-1992 |
| Information Source: | Disassembly, "PC Viruses" by A.Solomon, "VSUM" (P.Hofmann) |
(c) 1996 Virus-Test-Center, University of Hamburg