-----------------------------------------------------------------------------
 WildList Notes - (c)1995 Joe Wells - c1jwells@watson.ibm - wildlist@aol.com
-----------------------------------------------------------------------------

Virus Name:  AntiEXE

Aliases:     D3, Newbug,  New Bug, CMOS4

Infects:     MBR on first hard drive. DOS boot sector on floppy disks.

Disk Size:   1 sector.

Location:    MBR or boot sector. Original MBR is stored at cylinder 0, 
             sector 13, head 0. On floppy disks the virus accurately 
             calculates the last sector of the root directory, and 
             places the original boot sector there. 

Memory Size: The virus reserves 1k of memory by decrementing the available
             memory word at 40:13. On a 640k system the value will be 
             changed from 280h to 27Fh. Chkdsk will report 654336 bytes 
             (639k) of memory free.

Location:    In 1k reserved at top of conventional memory.

Special:     The virus is full stealth.

Effects:     Contains code to corrupt the MZ signature in an EXE file.

Trigger:     Detection of a specific EXE .

Messages:    None, but MZ is visible in the boot sector
.
Bugs:        [unknown]

Origin:      Possibly Germany.    

Notes:       As sectors are read, a check is made for a specific EXE 
             file header. The "MZ" portion of the 8 test bytes is visible 
             in the boot sector at offset 30, unless the virus is resident,
             in which case the infected sector is stealthed.

             This "signature" is: 4D 5A 40 00 88 01 37 0F. No one in the 
             av industry seem to know what EXE file this is. If found by 
             the virus, the MZ portion of that file will be corrupted.

             The virus copies the original interrupt 13h vector to the 
             vector for interrupt D3h, which it then uses. Hence the 
             alias "D3".


