Ice 9 Virus
Virus Name: Ice 9
Aliases: ARCV93
V Status: Rare
Discovered: October, 1992
Symptoms: .COM file growth; TSR; hidden files are no longer hidden
Origin: England
Eff Length: 639 Bytes
Type Code: PRsC - Resident Parasitic .COM Infector
Detection Method: Sweep, AVTK, F-Prot, ViruScan, PCScan,
IBMAV, NAV, NAVDX, VAlert, ChAV,
Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The Ice 9 virus was isolated in England in October, 1992. Ice 9
is a memory resident infector of .COM programs, but not
COMMAND.COM.
The first time a program infected with the Ice 9 virus is executed,
the Ice 9 virus will install itself memory resident as a low system
memory TSR of 1,136 bytes. Interrupt 21 will be hooked by the
virus.
Once resident, Ice 9 will infect .COM programs other than
COMMAND.COM when they are executed or opened for any reason.
Infected programs will have a file length increase of 639 bytes
with the virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be altered.
The following text string can be found at the very end of programs
infected with Ice 9:
"r51xP"
A symptom of an Ice 9 infection is that hidden programs and files
will no longer be hidden, and will be visible in the DOS disk
directory listing.
Known variant(s) of Ice 9:
Ice 9-159: Probably an earlier variant of the Ice 9 virus,
Ice 9-159 is a non-resident direct action infector of .COM
programs, including COMMAND.COM. It infects one .COM
program in the current directory each time an infected
program is executed. Infected programs increase in size by
159 bytes with the virus being located at the end of the
file. The seconds field in the file date and time in the
DOS disk directory listing will have been set to "00", and
in some cases, the file time will disappear from the disk
directory listing as a result. The following text string
is visible within the viral code in infected files:
"*.COM [159] ICE-9"
Ice 9-159 doesn't appear to do anything besides replicate.
Origin: England March, 1993.
Ice 9-199: A later version of the Ice 9-159 variant, this
variant is also a non-resident direct action infector of
.COM programs, including COMMAND.COM. It infects one .COM
program in the current directory each time an infected
program is executed. Infected programs increase in size by
199 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not appear to be altered, but the seconds field
will have been set to "62". The following text strings are
visible within the viral code in infected files:
"[199] ICE-9"
"*.COM"
Ice 9-199 doesn't appear to do anything besides replicate.
Origin: England March, 1993.
Ice 9-224: A later version of the Ice 9-199 variant, this
variant is also a non-resident direct action infector of
.COM programs, including COMMAND.COM. It infects one .COM
program in the current directory each time an infected
program is executed. Infected programs increase in size by
224 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text string is
visible within the viral code in infected files:
"[224] ICE-9 *.com"
System hangs may occur when infected programs are executed.
Origin: England March, 1993.
Ice 9-250: A later version of the Ice 9-224 variant, this
variant is also a non-resident direct action infector of
.COM programs, including COMMAND.COM. It infects one .COM
program in the current directory each time an infected
program is executed. Infected programs increase in size by
250 bytes with the virus being located at the end of the
file. The program's date and time in the DOS disk directory
listing will not be altered. The following text strings are
visible within the viral code in infected files:
"[250] ICE-9*.COM"
"arCv"
The second text string, "arCv" can be found at the end of all
infected files.
Origin: England March, 1993.
Ice 9.639.Starfish: Based on the Ice 9 virus described above,
Ice 9.639.Starfish's size in memory is 1,152 bytes, hooking
interrupt 21. It infects .COM programs other than COMMAND.COM
when they are executed, opened, or copied. Infected programs
increase in size by 639 bytes with the virus being located at
the end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The following
text strings are visible within the viral code:
"Mad Satan[ This is StarFish ]"
"1993 Written by Mad Satan in TAIWAN."
"[ STARFISH ]"
"Satan"
Origin: Taiwan October, 1994.
Ice 9B: Functionally similar to the original virus, there is
one byte which differs.
Origin: England October, 1992.