Icelandic virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  ICELANDIC SERIES

  ================


  There are four versions of the Icelandic virus.


  All infect EXE files only and they are easily distinguised by their

  file lengths:


          632  One in two programs loaded are infected and one

               cluster is marked as bad on Hard Disks larger than

               20 MB


          642  Minor variant


          656  One in ten programs loaded are infected


          848  Displays message: "Gledileg jol" (Merry Christmas)

               if an infected program is run on 24th December.



==== Computer Virus Catalog 1.2: Icelandic#2 Virus (Sept. 20, 1989)=


Entry...............: "Icelandic virus" (Version #2)

Alias(es)...........:

Virus Strain........: Icelandic Virus

Virus detected when.: July 20 1989

              where.: Iceland

Classification......: .EXE file infecting virus/Extending/Resident

Length of Virus.....: 1. 632-647 bytes added to file

                      2. 2048 bytes in RAM

-------------------- Preconditions --------------------------------


Operating System(s).: MS-DOS

Version/Release.....: 2.0 or higher

Computer model(s)...: IBM PC,XT,AT and compatibles


------------------- Attributes ------------------------------------


Easy Identification.: .EXE Files: Infected files end in 18 44 19 5F

                      (hex).  System:  Byte at 0:37F contains FF (hex)


Type of infection...: Extends .EXE files. Adds 632-647 bytes to the

                      end of the file.  Stays resident in RAM, hooks

                      INT 21 and infects other programs when they are

                      executed via function 4B.  It will remove the

                      Read-Only attribute if necessary, but it is not

                      restored.  .COM files are not infected.


Infection Trigger...: Every tenth program run is checked. If it is an

                      uninfected .EXE file it will be infected.


Storage media affected: ---

Interrupts hooked...: INT 21

Damage..............: none

Damage Trigger......:


Particularities.....: The virus modifies the MCBs in order to hide

                      from detection.  The INT 13 checking in the

                      Icelandic-1 has been removed.  The virus uses

                      the name of the file to determine if it is an

                      .EXE file, but not the true type, as determined

                      by the first 2 bytes.  The virus assumes the

                      program reserves all available memory (FFFF

                      paragraphs needed). Programs that donot will

                      cause a system crash when infected and run.

                      This virus is a version of the Icelandic-1

                      virus, modified so that it does not use INT 21

                      calls to DOS services.  This is done to bypass

                      monitoring programs.


Similarities........:

------------------- Agents ----------------------------------------


Countermeasures.....: All programs which check for .EXE file length

                      changes will detect infections.

Countermeasures successful:

                      Detection of infection:

                           F-FCHK (from F.Skulason's F-PROT package)

                           VIRUSCAN

                      Prevention of infection:   F-FCHK

                      Removal:                   F-FCHK

Standard means......: Use DEBUG to check the byte at 0:37F.


-------------------- Acknowledgement -------------------------------


Location............: University of Iceland/Computing Services

Classification by...: Fridrik Skulason  (frisk@rhi.hi.is)

Documentation by....: Fridrik Skulason

Date................: Sept 20, 1989

Information Source..:


==================== End of Icelandic#2-Virus ======================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live fro...
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all...
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs. ...
Read more