AT is a resident file virus that occupies 144 bytes at 0000:0350 in the interrupt table. It attaches to the end of COM files. AT is one of the smallest resident viruses.
AT intercepts DOS function 4Bh (load program) and infects all executed programs that do not begin with 'M'. This way only "true" COM files are infected.
AT recognises itself in memory and on disk by comparing the first word of itself (8B60h) to where it would expect to find itself (at offset 0000:0350 in interrupt table or 140 bytes from the end of file).
Although virus occupies 144 bytes while resident, it is only 140 bytes on disk because it doesn't need to store the last 4 bytes -- these contain the address of a FAR CALL instruction which virus uses to pass the control back to DOS. The virus uses this internally by calling DOS via INT F7h which is where this doubleword is located in memory.
All kinds of other optimising tricks are used, such as addressing the INT 21h handler at 0035:0035 (eliminating some installation instructions). Wherever possible instructions are doing double or triple duty. There is no error checking, even if one of the DOS calls fails all the rest of them are still called as if no error had occurred.
All interrupts vectors from D4h to F6h are overwritten by this virus when it installs itself over the interrupt vector table. The virus actually hooks only INT 21h, though. Virus revectors original INT 21h to INT F7h for it's own use.
Virus relies on DOS setting up the SI register to be 100h when COM files are execute (this is almost always the case). AT virus also uses the PUSHA and POPA instructions which are not supported on the 8086.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
There are several minor variants of this virus. Their sizes range from 132 to 149 bytes.
Variant:AT II
A later variant of this virus. Smallest virus in this group is only 108 bytes long. Other variants' size varies between 114 and 122 bytes.