Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!accuvax.nwu.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: frisk%RHI.HI.IS@ibm1.cc.lehigh.edu (Fridrik Skulason) Newsgroups: comp.virus Subject: Icelandic virus Message-ID: <0002.y8907122227.AA01842@ge.sei.cmu.edu> Date: 10 Jul 89 14:52:48 GMT Sender: Virus Discussion List Lines: 87 Approved: krvw@sei.cmu.edu Some time ago I reported a new virus, the Icelandic "disk-crunching" virus. I have now finished disassembling it, and a report follows ("Brunnstein"-format) frisk@rhi.hi.is or ...mcvax!hafro!rhi!frisk - ------ Computer Virus Catalog 1.1: "Icelandic" July 8, 1989 -------- Entry...............: "Icelandic disk-crunching virus" Alias(es)...........: One-in-ten, Disk-eating virus Virus Strain........: Virus detected when.: Mid-June '89 where.: Iceland Classification......: .EXE file infecting virus/Extending/Resident Length of Virus.....: 1. 656-671 bytes added to file 2. 2048 bytes in RAM - --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.0 or higher Computer model(s)...: IBM PC,XT,AT and compatibles - --------------------- Attributes ------------------------------------- Identification......: .EXE Files: Infected files end in 4418 5F19 (hex). System: Byte at 0:37F contains FF (hex) Type of infection...: Extends .EXE files. Adds 656-671 bytes to the end of the file. Length MOD 16 will always be 0. Stays resident in RAM, hooks INT 21 and infects other programs when they are executed via function 4B. It will remove the Read-Only attribute if necessary. .COM files are not infected. Infection Trigger...: Every tenth program run is checked. If it is an uninfected .EXE file it will be infected. Storage media affected: None Interrupts hooked...: INT 21 Damage..............: If the current drive is a hard disk larger than 10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. Damage Trigger......: The damage is done whenever a file is infected. Particularities.....: The virus modifies the MCBs in order to hide from detection. It will not be activated if INT 13 contains something other than 0070:xxxx or F000:xxxx when an infected program is run. Similarities........: None. - --------------------- Agents ------------------------------------------ Countermeasures.....: All programs which check for .EXE file length changes will detect infections. Any virus prevention program that changes INT 13 will prevent the activation of the virus. F-SYSCHK (by the author of this article) will detect the system infection. F-FCHK will identify infected files. Countermeasures successful: See above. Standard means......: Use DEBUG to check the byte at 0:37F. Running any program which stays resident and modifies INT 13 (like PRINT) will prevent the virus from being activated. - --------------------- Acknowledgement --------------------------------- Location............: University of Iceland/Computing Services Classification by...: Fridrik Skulason (frisk@rhi.hi.is) Documentation by....: Fridrik Skulason Date................: July 8, 1989 Information Source..: - --------------------------End of "Icelandic"-Virus---------------------