ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Icelandic 1 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Saratoga 1, Icelandic, One in Ten, Disk Crunching Virus. Date of Origin: June, 1989. Place of Origin: Iceland. Host Machine: PC compatibles. Host Files: Remains resident. Infects EXE files. Increase in Size of Infected Files: 642 bytes. A variant adds 656 bytes. Another grows by 671 bytes. File lengths after infection are divisible by 16. Nature of Damage: Affects system run-time operation. Corrupts program files. Detected by: Scanv56+, F-Prot, Pro-Scan. Removed by: CleanUp, Scan/D, or F-Prot. Scan Code: Infected files always end with 44 18 5F 19. You can also search at offset 0C6H for 2E C6 06 87 02 0A 90 50 53 51. The Icelandic virus was first detected in June, 1989, disassembled a week later, and the disassembly was made available around the beginning of July. The basic Icelandic virus is a resident EXE-file infector that infects every second EXE file executed, and sometimes will mark a free cluster on a hard disk as bad (the "damage" routine). The Icelandic virus will copy itself to the top of free memory the first time an infected program is executed. Once in high memory, it hides from memory mapping programs. If a program later tries to write to this area of memory, the computer will crash. If the virus finds that some other program has "hooked" Interrupt 13, it will not proceed to infect programs. If Interrupt 13 has not been "hooked", it will attempt to infect every 10th program executed. The virus attaches itself to the end of the programs it infects, and infected files will always end with "4418,5F19"H. On systems with 12-bit FATs (floppy drives or 10 MB hard disks), the virus will not cause any damage. However, on systems with 16-bit FATs (hard disks larger than 10 MB), the virus will select one unused FAT entry and mark the entry as a bad sector each time it infects a program. It is likely that as of this writing, the virus has not been detected outside of Iceland. Several variants are known, including Saratoga 2, Icelandic Virus Version 2, and MIX1. See also the table.<$&3 Icelandic> ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253