Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
AntiCMOS.Boot | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | AntiCMOS.Boot |
| Technical name: | Anticmos Boot |
| Threat level: | Medium |
| Type: | Virus |
| Effects: | It prevents computers from starting up correctly.
|
| Affected platforms:
| MS-DOS |
| First detected on: | Nov. 22, 1994 |
| Detection updated on: | July 10, 2008 |
| Statistics | No |
| Country of origin: | SPAIN |
| Family: | ANTICMOS |
Brief Description | |
AntiCMOS.Boot is a boot virus that infects the boot sector of floppy and hard disks.
The hard disk is infected when the computer is booted from an infected floppy disk. From then on, all the floppy disks used on the system will be infected and the computer will have problems starting up.
AntiCMOS.Boot is programmed to delete the information on the CMOS and the configuration of the hard disk, however due to internal programming errors it never carries out these actions. For this reason, it is not considered a dangerous virus.
|
Visible Symptoms | |
The main indication that AntiCMOS.Boot has infected a computer is that it has problems starting up.
|
Tech details
Effects |
| When AntiCMOS.Boot is run, it infects the boot sector of floppy disks (Boot) and of hard disks (Master Boot Record or MBR), carrying out the following actions: |
- It overwrites the original boot sector with an infected copy.
- It infects all the floppy disks used on the affected computer, provided that they are not write-protected.
Infection strategy
AntiCMOS.Boot follows the infection routine below:
- It infects the computer when it is booted from a floppy disk infected by the virus.
- From the infected floppy disk, AntiCMOS.Boot goes memory resident.
It occupies 2 Kbytes in the TOM (Top Of Memory).
- From the memory, AntiCMOS.Boot infects all the floppy disks used on the computer.
In order to do this, it intercepts the interrupt INT13, which provides the BIOS services of the hard disk.
- AntiCMOS.Boot checks if it is being run from the boot sector of a floppy disk or from the MBR of a hard disk.
If it is being run from the boot sector, it reads the Master Boot Record of the hard disk in order to check if it is already infected. If it is not, AntiCMOS.Boot infects it.
- AntiCMOS.Boot checks if a floppy disk is infected, whenever it is used. If it is not, it infects it.
AntiCMOS.Boot infects all the floppy disks regardless of whether they are boot disks or not.
- It replaces the MBR of the hard disk with an infected MBR.
- It overwrites the hard disk, deleting the information in the boot sector of the hard disk (volume label, serial number, etc).
- It tries to start up the computer from the infected MBR. AntiCMOS.Boot does not change the Partition table, so the computer can be started up from a virus free boot disk, access the hard disk and solve the configuration problems.
Means of transmission
AntiCMOS.Boot only spreads through floppy disks following the infection routine below:
- It infects the computer when it is booted from a floppy disk infected by the virus.
- It infects all the floppy disks used on the affected computer. These floppy disks will then infect other computers.
Further Details
Other interesting characteristics of AntiCMOS.Boot are:
- The name of the virus is related to the fact that it was originally programmed to write on the CMOS through ports 70h and 71h. As a result, it deleted all the information on the CMOS and the configuration of the hard disk.
- However, due to programming errors in its code, AntiCMOS.Boot does not carry out these actions.
- AntiCMOS.Boot comes from China and was first exported to Hong Kong in 1994. In 1995, it was also reported many times in North America for several months.
