| Alias: | |
| Strain: | Icelandic Virus |
| detected when: | July '89 |
| where: | Saratoga (California) |
| Classification: | .EXE file infecting virus/Extending/Resident |
| Length: | 1. 642-657 bytes added to file 2. 2048 bytes in RAM |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.0 or higher |
| Computer model(s): | IBM PC,XT,AT and compatibles |
| Caroname: | Icelandic.642.A |
Attributes | |
| Easy identification: | .EXE Files: Infected files end in "PooT". System: Byte at 0:37F contains FF (hex) |
Type of Infection: | Extends .EXE files. Adds 642-657 bytes to the end of the file. Stays resident in RAM, hooks INT 21 and infects other programs when they are executed via function 4B. It will remove the Read-Only attribute if necessary, but it is not restored. .COM files are not infected. |
| Infection Technique: | |
| Infection Trigger: | One out of every two programs run is checked. If it is an uninfected .EXE file it will be infected. |
| Storage Media affected: | --- |
| Interrupts hooked: | INT 21 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | If the current drive is a hard disk larger than 10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. |
| Damage Trigger: | The damage is done whenever a file is infected. |
| Particularities: | The virus modifies the MCBs in order to hide from detection. The INT 13 checking in the original version has been removed. The virus uses the name of the file to determine if it is an .EXE file, but not the true type, as determined by the first two bytes. The virus assumes the program reserves all available memory (FFFF paragraphs needed). Programs that donot will cause a system crash when infected and run. |
| Similarities: | This virus is just a minor variant of Icelandic-1. |
Agents | |
| Countermeasures: | Detection of infection: F-FCHK (from F.Skulason's F-PROT package) VIRUSCAN Removal: F-FCHK |
| Standard means: | |
Acknowledgements | |
| Location: | University of Iceland/Computing Services |
| Classification by: | Fridrik Skulason (frisk@rhi.hi.is) |
| Documentation by: | Fridrik Skulason |
| Date: | Sept 20, 1989 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg