Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » AntiEXE

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 31 Dec 1998 03:00:00
Description updated 26 Nov 2002 04:06:00
Malware type VIRUS
Alias
Spreading mechanism UNKNOWN
Summary None

AntiEXE

Spreading

The only way to become infected with this virus is to boot the machine with an infected diskette in the diskette drive. The virus is memory resident; meaning it places itself in the memory and infects all diskettes used in the computer after infection. When the virus infects a non-write protected diskette, it moves the original boot sector to the last sector of the root-directory or to a cluster marked "Bad".AntiExe overwrites Master Boot Record (MBR) on the hard disk and saves the original on sector 13. The virus uses "stealth" technique to make the infected boot sector look "clean" when you do a check with the virus memory resident. The virus contains all the standard information for a normal MBR. If a user try to boot the machine with an infected diskette, the hard disk will become infected, regardless if the boot was successful or not.

Payload Details

Only in two cases does the virus any harm besides spreading. If the user press Ctrl+Break while the virus access a disk, it will overwrite the eight sectors in all heads and tracks. In addition AntiExe looks for, and destroys a special file of 200.256 bytes (it is not known what file this is).AntiExe may, in certain occasions, redirect BIOS disk interrupt 13h to interrupt D3h, avoid some "Behavior Blocker" - programs and infect diskettes.

Analysis

n/a

Removal

Several variants of AntiEXE has been added after that.


Last Updated: 12 Nov 2015 11:06:11