Threat description




AT is a resident file virus that occupies 144 bytes at 0000:0350 in the interrupt table. It attaches to the end of COM files. AT is one of the smallest resident viruses.

AT intercepts DOS function 4Bh (load program) and infects all executed programs that do not begin with 'M'. This way only "true" COM files are infected.

AT recognises itself in memory and on disk by comparing the first word of itself (8B60h) to where it would expect to find itself (at offset 0000:0350 in interrupt table or 140 bytes from the end of file).

Although virus occupies 144 bytes while resident, it is only 140 bytes on disk because it doesn't need to store the last 4 bytes -- these contain the address of a FAR CALL instruction which virus uses to pass the control back to DOS. The virus uses this internally by calling DOS via INT F7h which is where this doubleword is located in memory.

All kinds of other optimising tricks are used, such as addressing the INT 21h handler at 0035:0035 (eliminating some installation instructions). Wherever possible instructions are doing double or triple duty. There is no error checking, even if one of the DOS calls fails all the rest of them are still called as if no error had occurred.

All interrupts vectors from D4h to F6h are overwritten by this virus when it installs itself over the interrupt vector table. The virus actually hooks only INT 21h, though. Virus revectors original INT 21h to INT F7h for it's own use.

Virus relies on DOS setting up the SI register to be 100h when COM files are execute (this is almost always the case). AT virus also uses the PUSHA and POPA instructions which are not supported on the 8086.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

There are several minor variants of this virus. Their sizes range from 132 to 149 bytes.

Variant:AT II

A later variant of this virus. Smallest virus in this group is only 108 bytes long. Other variants' size varies between 114 and 122 bytes.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info