Icelandic Virus
Virus Name: Icelandic
Aliases: 656, One In Ten, Disk Crunching Virus, Saratoga 2, Iceland
V Status: Extinct
Discovered: June, 1989
Symptoms: .EXE growth; resident-TOM; bad sectors; FAT corruption
Origin: Iceland
Eff Length: 656 bytes
Type Code: PRfE - Resident Parasitic .EXE Infector
Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: F-Prot, NAV, or delete infected files
General Comments:
The Icelandic, or Disk Crunching virus, was originally isolated in
Iceland in June 1989. Icelandic is a memory resident infector of
.EXE files, and will only infect every tenth .EXE program executed.
The first time a program infected with Icelandic is executed, the
virus will become memory resident at the top of system memory but
below the 640K DOS boundary. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have decreased
by 2,048 bytes. Interrupt 21 will be hooked by the virus.
This virus only infects .EXE files, with infected files growing in
length between 656 and 671 bytes. File lengths after infection will
always be a multiple of 16. The virus attaches itself to the end of
the programs it infects, and infected files will always end with
hex '4418,5F19'.
The Icelandic virus attempts to avoid detection by some memory
resident anti-viral utilities by checking to see if some other
program has "hooked" interrupt 13. If interrupt 13 was hooked before
the first Icelandic program is executed, the virus will not proceed
to infect programs. If Interrupt 13 has not been "hooked",
it will attempt to infect every 10th program executed.
On systems with only floppy drives, or 10 MB hard disks, the virus
will not cause any damage. However, on systems with hard disks
larger than 10 MB, the virus will select one unused FAT entry and
mark the entry as a bad sector each time it infects a program.
Known variant(s) of Icelandic are:
Icelandic.655: Icelandic.655 is a modified version of the
Icelandic virus described above. Its size in memory
is 2,048 bytes, and it directly hooks interrupts, so
that no interrupts will be mapped to the viral code in
memory. Once resident, it will infect every tenth
program executed, provided that the program is an .EXE
program. Infected programs increase in size by 655 to
669 bytes with the virus being located at the end of
the file. The program's date and time in the DOS disk
directory listing will have been updated to the current
system date and time when infection occurred. System
hangs may occur when the virus infects programs.
Origin: Unknown April, 1994.
Icelandic-IB: Functionally equivalent to Icelandic, this
variant differs by one by from the original virus.
Icelandic-IC: Functionally equivalent to Icelandic, this
variant differs by one by from the original virus
and Icelandic-IB.
Icelandic-ID: Received in November, 1993, this variant is a
very minor variant of Icelandic. It has been altered
to avoid being detected by a specific anti-viral
utility.
Origin: Unknown November, 1993.
Icelandic-IE: Received in November, 1993, this variant is a
very minor variant of Icelandic. It has been altered
to avoid being detected by a specific anti-viral
utility.
Origin: Unknown November, 1993.
Icelandic-II: Icelandic-II is a modified version of the
Icelandic virus described above. Its size is 632
bytes. Each time the Icelandic-II virus infects a
program, it will modify the file's date and time in
the DOS disk directory. It also removes the
read-only attribute from read-only files. On hard
disks larger than 10MB, there are no bad sectors
marked in the FAT as there is with the Icelandic
virus.
Isolated: Iceland July, 1989.
Icelandic-III: Icelandic-III is a modified version of the
Icelandic virus. Before Icelandic-III will infect a
program, it checks to see if the program has been
previously infected with Icelandic or Icelandic-II,
if it has, it does not infect the program. Files
infected with the Icelandic-III virus will have
their length increased by 848 to 863 bytes. If an
infected program is run on December 24th of any year,
programs subsequently run will be stopped, later
displaying the message "Gledileg jol" ("Merry
Christmas" in Icelandic) instead. The virus's id
string in the last two words of the program is
hex '1844,195F', the bytes in each word being
reversed from the id string ending the Icelandic and
Icelandic-II viruses.
Isolated: Iceland December, 1989.
Saratoga: Based on the Icelandic virus, the Saratoga virus'
main difference is that when it copies itself to
memory, it modifies the memory block so that it appears
to belong to the operating system, thus avoiding
another program reusing the block. It is 642 bytes
in length.
Isolated: Saratoga, California, USA July, 1989.
See: Mix1