40Hex Issue 3 0003 Anthrax Well, this is turning out to be a tribute issue to the Dark Avenger. Here is another one of his better known viruses. This is a nice one cause it not only is a file infector, but it is also a sort of boot sector virus. It is also what I dubbed a reincarnation virus, meaning that even if you clean your system of it, it may still live, because it leaves a copy of itself on the last sector of the disk. The virus can be reincarnated by the V2100 virus, also bu The Dark Avenger. Well, Patti Hoffman (one of my favorite people on earth, not) wrote this virus up. Aliases: V Status: Rare [Not for long] Discovery: July, 1990 Symptoms: .COM & .EXE growth Origin: Bulgaria Isolated: Netherlands Eff Length: 1040 - 1279 Bytes Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+, IBM Scan 2.00+ Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+ General Comments: The Anthrax Virus was isolated in July 1990 in the Netherlands after it was uploaded onto several BBSes in a trojan anti-viral program, USCAN.ZIP. It is the second virus to be found in a copy of UScan during July 1990, the first virus being V2100. Anthrax is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. The first time a program infected with the Anthrax virus is executed on the system's hard disk, the virus will infect the hard disk's partition table. At this point, the virus is not memory resident. It will also write a copy of itself on the last few sectors of the system's hard disk. If data existed on those last few sectors of the hard disk, it will be destroyed. When the system is booted from the hard disk, the Anthrax virus will install itself memory resident. It will remain memory resident until the first program is executed. At that time, it will deinstall itself from being resident and infect one .COM or .EXE file. This virus does not infect files in the current directory first, but instead starts to infect files at the lowest level of the disk's directory tree. Later, when an infected program is executed, Anthrax will infect one .COM or .EXE file, searching the directory structure from the lowest level of the directory tree. If the executed infected program was located on the floppy drive, a .COM or .EXE file may or may not be infected. The Anthrax Virus's code is 1,024 bytes long, but infected programs will increase in length by 1,040 to 1,279 bytes. On the author's test system, the largest increase in length experienced was 1,232 bytes. Infected files will always have an infected file length that is a multiple of 16. The following text strings can be found in files infected with the Anthrax virus: "(c)Damage, Inc." "ANTHRAX" A third text string occurs in the viral code, but it is in Cyrillics. Per Vesselin Bontchev, this third string translates to: "Sofia 1990". Since Anthrax infects the hard disk partition tables, infected systems must have the partition table disinfected or rebuilt in order to remove the virus. This disinfection can be done with either a low- level format or use of the MDisk/P program for the correct DOS version after powering off and rebooting from a write-protected boot diskette for the system. Any .COM or .EXE files infected with Anthrax must also be disinfected or erased. Since a copy of the virus will exist on the last few sectors of the drive, these must also be located and overwritten. Anthrax interacts with another virus: V2100. If a system which was previously infected with Anthrax should become infected with the V2100 virus, the V2100 virus will check the last few sectors of the hard disk for the spare copy of Anthrax. If the spare copy is found, then Anthrax will be copied to the hard disk's partition table. It is not known if Anthrax carries any destructive capabilities or trigger/activation dates. Here is the actual virus. Well if this is your fist copy of 40Hex, let me explain how to compile it. First copy what is below with your editor. Then save it to a file called ANTHRAX.SCR. Then type at the command line - DEBUG