frisk%RHI.HI.IS@ibm1.cc.lehigh.edu (Fridrik Skulason) (07/10/89)
Some time ago I reported a new virus, the Icelandic "disk-crunching" virus. I
have now finished disassembling it, and a report follows ("Brunnstein"-format)
frisk@rhi.hi.is
or
...mcvax!hafro!rhi!frisk
- ------ Computer Virus Catalog 1.1: "Icelandic" July 8, 1989 --------
Entry...............: "Icelandic disk-crunching virus"
Alias(es)...........: One-in-ten, Disk-eating virus
Virus Strain........:
Virus detected when.: Mid-June '89
where.: Iceland
Classification......: .EXE file infecting virus/Extending/Resident
Length of Virus.....: 1. 656-671 bytes added to file
2. 2048 bytes in RAM
- --------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
- --------------------- Attributes -------------------------------------
Identification......: .EXE Files: Infected files end in 4418 5F19 (hex).
System: Byte at 0:37F contains FF (hex)
Type of infection...: Extends .EXE files. Adds 656-671 bytes to the end of
the file. Length MOD 16 will always be 0.
Stays resident in RAM, hooks INT 21 and infects other
programs when they are executed via function 4B. It will
remove the Read-Only attribute if necessary. .COM files
are not infected.
Infection Trigger...: Every tenth program run is checked. If it is an
uninfected .EXE file it will be infected.
Storage media affected: None
Interrupts hooked...: INT 21
Damage..............: If the current drive is a hard disk larger than 10M
bytes, the virus will select one cluster and mark it
as bad in the first copy of the FAT. Diskettes and 10M
byte disks are not affected.
Damage Trigger......: The damage is done whenever a file is infected.
Particularities.....: The virus modifies the MCBs in order to hide
from detection. It will not be activated if INT 13
contains something other than 0070:xxxx or F000:xxxx
when an infected program is run.
Similarities........: None.
- --------------------- Agents ------------------------------------------
Countermeasures.....: All programs which check for .EXE file length changes
will detect infections.
Any virus prevention program that changes INT 13 will
prevent the activation of the virus.
F-SYSCHK (by the author of this article) will detect
the system infection.
F-FCHK will identify infected files.
Countermeasures successful: See above.
Standard means......: Use DEBUG to check the byte at 0:37F.
Running any program which stays resident and modifies
INT 13 (like PRINT) will prevent the virus from being
activated.
- --------------------- Acknowledgement ---------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason (frisk@rhi.hi.is)
Documentation by....: Fridrik Skulason
Date................: July 8, 1989
Information Source..:
- --------------------------End of "Icelandic"-Virus---------------------