AntiEXE

AntiEXE infects the master boot record (MBR) of hard disks and the boot sectors of floppy disks. Infection begins during booting, when the BIOS loads the compromised boot sector into memory at address 0000:7C00h. Upon execution, the virus intercepts the interrupt vector table by redirecting INT D3h, a seldom-used handler reserved for the IBM PC's ROM BASIC, to INT 13h. It then allocates a private stack and reduces the total reported system memory by 1 KB in order to hide its code. This stealth technique is common among early boot viruses, most notably the Stoned virus, which subtracted 2 KB.^[3]: 11

Once resident, AntiEXE loads a replacement INT 13h handler to monitor disk activity and copies itself to the upper memory area. If the system is booting from an infected hard drive, the virus reads the original MBR and passes control to it to allow the boot process to appear normal.^[3]: 11 If the hard drive is not yet infected, AntiEXE replaces the disk's MBR with its own code while preserving the original partition table at cylinder 0, sector 13, head 0.^{[3]: 11 [4]} Although this process imparts a slight delay in the boot sequence, it is generally imperceptible to the end user. The replacement INT 13h handler includes specific directives to ignore calls to INT F9h, a behavior hypothesized to attempt to subvert detection by a specific antivirus software.^[3]: 11

The virus primarily monitors INT 13h for service 02h (Read Sectors from Drive). On every read request, AntiEXE calculates a 3-in-256 chance of payload activation based on the system timer at address 0000:046Ch. As a stealth technique, when a read is directed at cylinder 0, sector 1, head 0, the virus returns the original boot sector to the requesting program instead of the viral code, effectively spoofing many antivirus and disk utilities.^[3]: 11 When infecting newly inserted floppy disks in drives A: and B:, the virus uses the BIOS parameter block to determine where to store the original boot sector.^{[3]: 11–12} Because it fails to verify if that area of the disk is already in use, however, this often results in major data corruption to floppy disks.^[3]: 12

AntiEXE's payload is specifically designed to target a particular, unidentified .exe file. When the payload is active, the virus examines the header of every sector read via INT 13h; if it matches the signature of an .exe file exactly 200,768 bytes in length with 3,895 relocations, the virus corrupts the file's header. This prevents the file from loading or being copied correctly. While research has suggested the intended target may have been a Russian antivirus software package, which would explain the peculiar handling of INT F9h, this remains unconfirmed.^[3]: 12

AntiEXE was first isolated in France in September 1993. Although most computer virus researchers speculate that AntiEXE originated from Russia, François Paget of McAfee posits that it was programmed by a Parisian hacker. It was among the top three most common computer viruses detected in France from 1994 to 1995.^[5]: 11 By mid-1994, according to the Virus Bulletin, it was epidemic worldwide.^[6]: 15 Per Symantec in 1996 and Dr Solomon in 1998, it was the third most common computer virus.^[7]

PC World in early 1999 noted that AntiEXE and Form were still flourishing, albeit they were "golden oldies" compared to the then-burgeoning viruses distributed through the Web.^[8]: 125

Across the United States, the virus caused numerous local outages and led to minor municipal controversies. Throughout 1994, AntiEXE had infected most of the desktop computers at both the Carilion Clinic and the City Council in Roanoke, Virginia, causing panics over data loss.^[1]: D7 In March 1995 at a recordkeeping company in Cincinnati, Ohio, the virus was detected at a workstation that was handling floppy disks for hundreds of customers in Greater Cincinnati.^[9] In May 1995 in Republic, Washington, AntiEXE caused a fracas during a protracted land-use planning debate in Ferry County, after a floppy disk prepared by local environmentalists—containing data intended to support their position against resource industries being the primary source of revenue for the county—was infected with AntiEXE and spread to a county computer containing the comprehensive plan in favor of the land use by those industries. Representatives from the county called it a deliberate act of sabotage, while the environmentalists said the disk was infected inadvertently.^[10] In May 1999, AntiEXE crippled the entire computer network for San Juan County, Washington, for nearly a week, leading to service disruptions.^[11]

AntiEXE also affected the IT industry in a number of notable incidents. In January 1995, the software vendor SunGard inadvertently distributed dozens of copies of their CBR disaster recovery software on floppy disks infected with AntiEXE to customers in Greater Philadelphia. Officials at SunGard determined that the virus infected a master disk used in mass duplication.^[12][13] In June 1995, Merriam-Webster issued a recall of 2,500 packages containing the Windows-only versions of their Collegiate Dictionary and Collegiate Thesarus reference software after it was discovered that the master disk used in mass duplication was infected with AntiEXE and had infected all copies.^[14][15] In September 1997, Toshiba America Information Systems issued a bulletin announcing that less than one percent of their notebook computers that had been manufactured in August were infected with AntiEXE during final end-user testing at their facility in Orange, California.^[16][17] The virus only affected users who opted to install Windows for Workgroups 3.11 on their notebooks, as its successor Windows 95 eradicates the virus during the installation process.^[18]

• AntiCMOS