Threat Description

AT

Details

Aliases:AT
Category:Malware
Type:Virus
Platform: W32

Summary



AT is a resident file virus that occupies 144 bytes at 0000:0350 in the interrupt table. It attaches to the end of COM files. AT is one of the smallest resident viruses.

AT intercepts DOS function 4Bh (load program) and infects all executed programs that do not begin with 'M'. This way only "true" COM files are infected.

AT recognises itself in memory and on disk by comparing the first word of itself (8B60h) to where it would expect to find itself (at offset 0000:0350 in interrupt table or 140 bytes from the end of file).

Although virus occupies 144 bytes while resident, it is only 140 bytes on disk because it doesn't need to store the last 4 bytes -- these contain the address of a FAR CALL instruction which virus uses to pass the control back to DOS. The virus uses this internally by calling DOS via INT F7h which is where this doubleword is located in memory.

All kinds of other optimising tricks are used, such as addressing the INT 21h handler at 0035:0035 (eliminating some installation instructions). Wherever possible instructions are doing double or triple duty. There is no error checking, even if one of the DOS calls fails all the rest of them are still called as if no error had occurred.

All interrupts vectors from D4h to F6h are overwritten by this virus when it installs itself over the interrupt vector table. The virus actually hooks only INT 21h, though. Virus revectors original INT 21h to INT F7h for it's own use.

Virus relies on DOS setting up the SI register to be 100h when COM files are execute (this is almost always the case). AT virus also uses the PUSHA and POPA instructions which are not supported on the 8086.

There are several minor variants of this virus. Their sizes range from 132 to 149 bytes.


Variant:AT II

A later variant of this virus. Smallest virus in this group is only 108 bytes long. Other variants' size varies between 114 and 122 bytes.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More