Icelandic Virus


 Virus Name:  Icelandic 
 Aliases:     656, One In Ten, Disk Crunching Virus, Saratoga 2, Iceland 
 V Status:    Extinct 
 Discovered:  June, 1989 
 Symptoms:    .EXE growth; resident-TOM; bad sectors; FAT corruption 
 Origin:      Iceland 
 Eff Length:  656 bytes 
 Type Code:   PRfE - Resident Parasitic .EXE Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, NAV, Sweep, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  F-Prot, NAV, or delete infected files 
 
 General Comments: 
       The Icelandic, or Disk Crunching virus, was originally isolated in 
       Iceland in June 1989.  Icelandic is a memory resident infector of 
       .EXE files, and will only infect every tenth .EXE program executed. 
      
       The first time a program infected with Icelandic is executed, the 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 2,048 bytes.  Interrupt 21 will be hooked by the virus. 
 
       This virus only infects .EXE files, with infected files growing in 
       length between 656 and 671 bytes.  File lengths after infection will 
       always be a multiple of 16.  The virus attaches itself to the end of 
       the programs it infects, and infected files will always end with 
       hex '4418,5F19'. 
 
       The Icelandic virus attempts to avoid detection by some memory 
       resident anti-viral utilities by checking to see if some other 
       program has "hooked" interrupt 13.  If interrupt 13 was hooked before 
       the first Icelandic program is executed, the virus will not proceed 
       to infect programs.  If Interrupt 13 has not been "hooked", 
       it will attempt to infect every 10th program executed. 
 
       On systems with only floppy drives, or 10 MB hard disks, the virus 
       will not cause any damage.  However, on systems with hard disks 
       larger than 10 MB, the virus will select one unused FAT entry and 
       mark the entry as a bad sector each time it infects a program. 
 
       Known variant(s) of Icelandic are: 
       Icelandic.655: Icelandic.655 is a modified version of the 
                     Icelandic virus described above.  Its size in memory 
                     is 2,048 bytes, and it directly hooks interrupts, so 
                     that no interrupts will be mapped to the viral code in 
                     memory.  Once resident, it will infect every tenth 
                     program executed, provided that the program is an .EXE 
                     program.  Infected programs increase in size by 655 to 
                     669 bytes with the virus being located at the end of 
                     the file.  The program's date and time in the DOS disk 
                     directory listing will have been updated to the current 
                     system date and time when infection occurred.  System 
                     hangs may occur when the virus infects programs. 
                     Origin: Unknown   April, 1994. 
       Icelandic-IB: Functionally equivalent to Icelandic, this 
                     variant differs by one by from the original virus. 
       Icelandic-IC: Functionally equivalent to Icelandic, this 
                     variant differs by one by from the original virus 
                     and Icelandic-IB. 
       Icelandic-ID: Received in November, 1993, this variant is a 
                     very minor variant of Icelandic.  It has been altered 
                     to avoid being detected by a specific anti-viral 
                     utility. 
                     Origin:  Unknown  November, 1993. 
       Icelandic-IE: Received in November, 1993, this variant is a 
                     very minor variant of Icelandic.  It has been altered 
                     to avoid being detected by a specific anti-viral 
                     utility. 
                     Origin:  Unknown  November, 1993. 
       Icelandic-II: Icelandic-II is a modified version of the 
                     Icelandic virus described above.  Its size is 632 
                     bytes.  Each time the Icelandic-II virus infects a 
                     program, it will modify the file's date and time in 
                     the DOS disk directory.  It also removes the 
                     read-only attribute from read-only files.  On hard 
                     disks larger than 10MB, there are no bad sectors 
                     marked in the FAT as there is with the Icelandic 
                     virus. 
                     Isolated: Iceland   July, 1989. 
       Icelandic-III: Icelandic-III is a modified version of the 
                     Icelandic virus.  Before Icelandic-III will infect a 
                     program, it checks to see if the program has been 
                     previously infected with Icelandic or Icelandic-II, 
                     if it has, it does not infect the program.  Files 
                     infected with the Icelandic-III virus will have 
                     their length increased by 848 to 863 bytes.  If an 
                     infected program is run on December 24th of any year, 
                     programs subsequently run will be stopped, later 
                     displaying the message "Gledileg jol" ("Merry 
                     Christmas" in Icelandic) instead.  The virus's id 
                     string in the last two words of the program is 
                     hex '1844,195F', the bytes in each word being 
                     reversed from the id string ending the Icelandic and 
                     Icelandic-II viruses. 
                     Isolated: Iceland  December, 1989. 
       Saratoga: Based on the Icelandic virus, the Saratoga virus' 
                     main difference is that when it copies itself to 
                     memory, it modifies the memory block so that it appears 
                     to belong to the operating system, thus avoiding 
                     another program reusing the block.  It is 642 bytes 
                     in length. 
                     Isolated: Saratoga, California, USA  July, 1989. 
 
       See:   Mix1 

Show viruses from discovered during that infect .

Main Page