Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!gem.mps.ohio-state.edu!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: David.M..Chess.CHESS@YKTVMV
Newsgroups: comp.virus
Subject: Iceland/Saratoga viruses (PC)
Message-ID: <0002.8909131611.AA17602@ge.sei.cmu.edu>
Date: 12 Sep 89 00:00:00 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 21
Approved: krvw@sei.cmu.edu

There seem to be three different viruses in this general family:

   - One is a resident EXE-file infector that infects every tenth
     EXE file executed, and sometimes will mark a free cluster on a
     hard disk as bad (the "damage" routine).  I've seen this one
     called the "Saratoga 1".
   - The second (not that the order I'm listing them in necessarily
     means anything) is just like the first, except that it checks
     the segment of the INT13 vector, and if it's not 0070 or F000,
     it doesn't do anything.   I've seen this called the "Saratoga 2",
     and also the "Icelandic Disk-Crunching virus" (that name is from
     Fridrik Skulason).
   - The third differs from the first in that it bypasses INT21 (by
     means that I suppose I shouldn't mention in public), and doesn't
     have the "mark a cluster bad" code.  It doesn't have the INT13
     check that the second version does.   Fridrik Skulason calls
     this, quite reasonably, the "Icelandic Virus, version 2".

Does this check correctly with everyone?   The Saratoga/Icelandic
nomenclature is a bit confusing, and I want to make sure that
there's general agreement about the facts, if not the names...   DC