Well, this is turning out to be a tribute issue to the Dark
Avenger. Here is another one of his better known viruses. This is
a nice one cause it not only is a file infector, but it is also a
sort of boot sector virus. It is also what I dubbed a reincarnation
virus, meaning that even if you clean your system of it, it may
still live, because it leaves a copy of itself on the last sector of
the disk. The virus can be reincarnated by the V2100 virus, also bu
The Dark Avenger.
Well, Patti Hoffman (one of my favorite people on earth, not) wrote
this virus up.
Aliases:
V Status: Rare [Not for long]
Discovery: July, 1990
Symptoms: .COM & .EXE growth
Origin: Bulgaria
Isolated: Netherlands
Eff Length: 1040 - 1279 Bytes
Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, IBM Scan 2.00+
Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+
General Comments:
The Anthrax Virus was isolated in July 1990 in the Netherlands after
it was uploaded onto several BBSes in a trojan anti-viral program,
USCAN.ZIP. It is the second virus to be found in a copy of UScan
during July 1990, the first virus being V2100. Anthrax is a memory
resident generic infector of .COM and .EXE files, including
COMMAND.COM.
The first time a program infected with the Anthrax virus is executed
on the system's hard disk, the virus will infect the hard disk's
partition table. At this point, the virus is not memory resident. It
will also write a copy of itself on the last few sectors of the
system's hard disk. If data existed on those last few sectors of the
hard disk, it will be destroyed.
When the system is booted from the hard disk, the Anthrax virus
will install itself memory resident. It will remain memory resident
until the first program is executed. At that time, it will deinstall
itself from being resident and infect one .COM or .EXE file. This
virus does not infect files in the current directory first, but
instead starts to infect files at the lowest level of the disk's
directory tree.
Later, when an infected program is executed, Anthrax will infect one
.COM or .EXE file, searching the directory structure from the lowest
level of the directory tree. If the executed infected program
was located on the floppy drive, a .COM or .EXE file may or may not
be infected.
The Anthrax Virus's code is 1,024 bytes long, but infected programs
will increase in length by 1,040 to 1,279 bytes. On the author's test
system, the largest increase in length experienced was 1,232 bytes.
Infected files will always have an infected file length that is a
multiple of 16.
The following text strings can be found in files infected with the
Anthrax virus:
"(c)Damage, Inc."
"ANTHRAX"
A third text string occurs in the viral code, but it is in Cyrillics.
Per Vesselin Bontchev, this third string translates to: "Sofia 1990".
Since Anthrax infects the hard disk partition tables, infected systems
must have the partition table disinfected or rebuilt in order to
remove the virus. This disinfection can be done with either a low-
level format or use of the MDisk/P program for the correct DOS
version after powering off and rebooting from a write-protected boot
diskette for the system. Any .COM or .EXE files infected with
Anthrax must also be disinfected or erased. Since a copy of the virus
will exist on the last few sectors of the drive, these must also be
located and overwritten.
Anthrax interacts with another virus: V2100. If a system which was
previously infected with Anthrax should become infected with the V2100
virus, the V2100 virus will check the last few sectors of the hard
disk for the spare copy of Anthrax. If the spare copy is found, then
Anthrax will be copied to the hard disk's partition table.
It is not known if Anthrax carries any destructive capabilities or
trigger/activation dates.
Here is the actual virus. Well if this is your fist copy of
40Hex, let me explain how to compile it.
First copy what is below with your editor. Then save it to a file
called ANTHRAX.SCR. Then type at the command line -
DEBUG <ANTHRAX.SCR
This will create a file called ANTHRAX.COM, that's the actual virus.
