====== Computer Virus Catalog 2.0: AntiCAD Virus (31-January-1992) ======= Entry...............: AntiCAD Virus Alias(es)...........: AntiCAD-4096 = Invader Virus Virus Strain........: Jerusalem Virus Strain, ANTICAD Substrain detected when.: August 1990 where.: Australia Classification......: Program (COM, EXE) & System (Boot, Master Boot) infecto Length of Virus.....: 1) Length on media: 4,096 bytes on COM & BOOT; 4,096-4,111 bytes on EXE 2) Length in memory: 5,120 bytes --------------------- Preconditions --------------------------------------- Operating System(s).: MS-DOS and compatible OS Version/Release.....: MS-DOS 3.0 and upwards Computer model(s)...: IBM and compatible PCs Caroname............: Jerusalem.AntiCAD.4096 --------------------- Attributes ------------------------------------------ Easy identification.: Virus contains text: "NO SYSTEMDISK...PLEASE INSERT..." Type of Infection...: Depending on type of victim: COM: Prepending but COMMAND.COM not infected; EXE: Appending but ACAD.EXE not infected; BOOT: any diskette without write protection; Master-BOOT: all HD-Drives. Infection Technique.: Infection Trigger...: Any Load/Execute operation Storage Media affec.: All kinds (disks, any diskette) Interrupts hooked...: 08h (Timer), 09h (Keybord), 13h (Disk), 21h (DOS-Calls), 24h (error handler). Stealth.............: Tunneling/Selfprot..: Oligo/Polymorphism..: Encoding Method.....: Damage..............: Transient: the virus plays some music (variants may play noise), and system is slowed down. This routine activates Permanent: If CTRL-ALT-DEL is pressed while music is playing or ACAD is loaded, *all in- formation on all disks will be overwritten*. CMOS-entries will be deleted. Damage Trigger......: Transient damage: in original ANTICAD virus, transient damage (playing music, system slow- down) is activated 30 minutes after virus' activation. In ANTICAD variants, activation of transient damage (music/noise) may be de- layed between 7 and 30 days. Permanent damage: one of the following activi- ties will activate permanent damage (over- writing disk media, deleting CMOS entries): P1) pressing CTRL-ALT-DEL when music/noise is played; P2) execution of ACAD; P3) after about 4000 keystrokes. These effects may not be activated every time as activation also depends on several internal triggers. Particularities.....: --- Similarities........: Viruses in same (Jerusalem) strain, and esp. those in same (AntiCAD) substrain. --------------------- Agents ---------------------------------------------- Countermeasures.....: According to their documentation, many antivirus products claim recognise and eradicate virus. Standard means......: 1) Reboot from clean bootdisk. 2) Delete all infected files. 3) Use SYS-Command to reinstall BOOT sector. 4) Use FDISK /MBR to reinstall Master-BOOT sector (MS-DOS 5.0 only). --------------------- Acknowledgements ------------------------------------ Location............: Virus-Test-Center, University Hamburg, Germany Classification by...: Matthias Jaenichen Documentation by....: Matthias Jaenichen Date................: 31-January-1992 Information Source..: Disassembly, "PC Viruses" by A.Solomon, "VSUM" (P.Hofma ========================== End of AntiCAD Virus ===========================