Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!gatech!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: RADAI1@HBUNOS.BITNET (Y. Radai) Newsgroups: comp.virus Subject: re: Iceland/Saratoga viruses (PC) Message-ID: <0002.8909191146.AA07427@ge.sei.cmu.edu> Date: 18 Sep 89 15:44:14 GMT Sender: Virus Discussion List Lines: 65 Approved: krvw@sei.cmu.edu David Chess writes: >There seem to be three different viruses in this general family: > > - One is a resident EXE-file infector that infects every tenth > EXE file executed, and sometimes will mark a free cluster on a > hard disk as bad (the "damage" routine). I've seen this one > called the "Saratoga 1". > - The second ... is just like the first, except that it checks > the segment of the INT13 vector, and if it's not 0070 or F000, > it doesn't do anything. I've seen this called the "Saratoga 2", > and also the "Icelandic Disk-Crunching virus" .... > - The third differs from the first in that it bypasses INT21 ... and > doesn't have the "mark a cluster bad" code. It doesn't have the > INT13 check that the second version does. Fridrik Skulason calls > this, quite reasonably, the "Icelandic Virus, version 2". > >Does this check correctly with everyone? .... The facts reported by David are correct, except that the first ver- sion infects every *second* EXE file executed instead of every tenth one. Btw, though it was originally reported that the Saratoga was disco- vered "some months earlier" than the first Icelandic virus, it later turned out that the Saratoga is actually a hack of Icelandic-1. Since I recently tried to clarify for myself the same question which David raises, I can present the following table summarizing the main differences between the versions: Version: Saratoga Icelandic-1 Icelandic-2 -------- ----------- ----------- File length increase(*): 642 656 632 Infects 1 file out of every 2 10 10 DOS services via interrupts? Yes Yes No Marks a cluster as bad? Yes Yes No Checks Int 13h Segment? No Yes No Signature(**): PooT 18 44 19 5F 18 44 19 5F First appearance: July 89 June (Feb?) 89 July 89 (*) The total length is rounded up to the next higher multiple of 16, if necessary. (This happens with *any* EXE-infecting virus.) (**) This is the last 4 bytes of the virus (used to determine if a file is already infected). I consider the bypassing of interrupts which Icelandic-2 performs to be very significant. I think ARC513.EXE (a hacked version of SEA's ARC) also did this, but it was a Trojan, not a virus. Among viruses, I heard of a strain of the Jerusalem virus which infects by direct BIOS access instead of by Int 21, though I'm not sure if that strain ever spread publicly. At least one version of the Vienna virus (not the one in Ralf Burger's book) is worthy of mention here since it overwrites 1 out of 8 files with code containing a far jump to the BIOS initialization routine. Have I forgotten any cases? The important thing about all this is that although the spreading of such viruses has been predicted for a long time, the authors of most monitoring programs, such as FluShot+, have either failed to find a solution or have ignored these predictions entirely. As far as I know, there is only one program so far which can stop such viruses and Trojans, and that is Fridrik Skulason's F-LOCK. If anyone knows of any other such program, I'd like to hear of it. Y. Radai Hebrew Univ. of Jerusalem