textfiles/virus/NCSA/ncsa095.txt

                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
                    <20>        VIRUS REPORT         <20>
                    <20>            MIX1             <20>
                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

Synonyms: MIX/1

Date of Origin: First reported on August 22, 1989.

Place of Origin: First detected in Israel. May have been written
elsewhere.

Host Machine: PC compatibles.

Host Files: Remains resident. Infects EXE files larger than 8K only in
one version, 16K in another version.

OnScreen Symptoms: You will see a bouncing ball after a crash, which will
occur after the sixth infection. (A variant will not crash the system.)

Increase in Size of Infected Files: 1618 bytes.

Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.

Detected by: Scanv37+, F-Prot, IBM Scan, Pro-Scan.

Removed by: CleanUp, Scan/D, Virus Buster, or F-Prot.

Derived from: Icelandic-1.

Scan Code: "MIX1" will be the last four bytes of any infected EXE.

     MIX1 is a variant of the Icelandic-1 virus, like the Saratoga. The
Icelandic virus was first detected in June, 1989, disassembled a week
later, and the disassembly was made available around the beginning of
July. The MIX1 virus appeared on several BBSs in Israel on August 22, and
may have been written in any country, and then sent via modem to Israeli
boards.

     The virus is put at the end of the .EXE file and the header is changed
to point to the virus. Infected files can be manually identified by a
characteristic "MIX1" always being the last 4 bytes of an infected file.
Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory.
EXE file execution through interrupt 21h service 4bh triggers the virus.
The infected .EXE files grow by 1618-1634 bytes, depending on its
original size. It will not infect files smaller than 8K. Once an infected
program is run, the virus occupies 2,048 bytes of memory. 

     Some peculiarities include:

*   All output through vectors 14h and 17h  -- the serial and parallel
    ports -- is garbled.

*   The NumLock key/light stays on.

*   After the 6th infection, booting may crash the computer due to a bug,
    and a bouncing ball may appear on the monitor.

*   Memory allocation is done through direct MCB control.

*   It does not allocate stack space, and therefore makes some files
    unusable.

*   It infects only files which are bigger than 16K, which makes
    disassembly very hard.<Note: Portions of the description contributed
    by Yuval Tal.>

     The modifications to Icelandic I appear to be intended to fool virus
detection programs. The changes include replacing instructions with
other equivalent ones.  For example,

XOR AX,AX

     has been replaced with:

MOV AX,0000

     and

MOV ES,AX

     has been replaced with:

PUSH AX

POP ES

     Also, NOP instructions have been inserted in several places,
including inside the identification strings used by VIRUSCAN and most
other similar programs. This seems to be a response by virus writers to
anti-virus programs that look for infection by using identification
strings. This method has been used in the '286 variant of the Ping-Pong
virus.

     Apart from these changes, parts of the virus are almost identical to
other variants of the Icelandic virus. In the installation part, the
code to check INT 13 has been removed (as in Saratoga and Icelandic-2).

     In a variant, the infection routine has been modified to infect every
file (instead of every tenth program run), and to not infect a program
unless it is at least 16K long. A variant of the virus will not crash the
system.


<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD>  This document was adapted from the book "Computer Viruses",       <20>
<EFBFBD>  which is copyright and distributed by the National Computer       <20>
<EFBFBD>  Security Association. It contains information compiled from       <20>
<EFBFBD>  many sources. To the best of our knowledge, all information       <20>
<EFBFBD>  presented here is accurate.                                       <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  Please send any updates or corrections to the NCSA, Suite 309,    <20>
<EFBFBD>  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  <20>
<EFBFBD>  and upload the information: (202) 364-1304. Or call us voice at   <20>
<EFBFBD>  (202) 364-8252. This version was produced May 22, 1990.           <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  The NCSA is a non-profit organization dedicated to improving      <20>
<EFBFBD>  computer security. Membership in the association is just $45 per  <20>
<EFBFBD>  year. Copies of the book "Computer Viruses", which provides       <20>
<EFBFBD>  detailed information on over 145 viruses, can be obtained from    <20>
<EFBFBD>  the NCSA. Member price: $44; non-member price: $55.               <20>
<EFBFBD>                                                                    <20>
<EFBFBD>            The document is copyright (c) 1990 NCSA.                <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  This document may be distributed in any format, providing         <20>
<EFBFBD>  this message is not removed or altered.                           <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253