|
NCSA Virus Report #71
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Icelandic 1 ?
???????????????????????????????
Synonyms: Saratoga 1, Icelandic, One in Ten, Disk Crunching Virus.
Date of Origin: June, 1989.
Place of Origin: Iceland.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects EXE files.
Increase in Size of Infected Files: 642 bytes. A variant adds 656 bytes.
Another grows by 671 bytes. File lengths after infection are divisible
by 16.
Nature of Damage: Affects system run-time operation. Corrupts program
files.
Detected by: Scanv56+, F-Prot, Pro-Scan.
Removed by: CleanUp, Scan/D, or F-Prot.
Scan Code: Infected files always end with 44 18 5F 19. You can also
search at offset 0C6H for 2E C6 06 87 02 0A 90 50 53 51.
The Icelandic virus was first detected in June, 1989, disassembled a
week later, and the disassembly was made available around the beginning
of July. The basic Icelandic virus is a resident EXE-file infector that
infects every second EXE file executed, and sometimes will mark a free
cluster on a hard disk as bad (the "damage" routine).
The Icelandic virus will copy itself to the top of free memory the
first time an infected program is executed. Once in high memory, it hides
from memory mapping programs. If a program later tries to write to this
area of memory, the computer will crash. If the virus finds that some
other program has "hooked" Interrupt 13, it will not proceed to infect
programs. If Interrupt 13 has not been "hooked", it will attempt to
infect every 10th program executed.
The virus attaches itself to the end of the programs it infects, and
infected files will always end with "4418,5F19"H.
On systems with 12-bit FATs (floppy drives or 10 MB hard disks), the
virus will not cause any damage. However, on systems with 16-bit FATs
(hard disks larger than 10 MB), the virus will select one unused FAT
entry and mark the entry as a bad sector each time it infects a program.
It is likely that as of this writing, the virus has not been detected
outside of Iceland. Several variants are known, including Saratoga 2,
Icelandic Virus Version 2, and MIX1. See also the table.<Note: Prepared
by Y. Radai, Hebrew University of Jerusalem.><$&3 Icelandic>
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
