Ice 199

Virus Name: Ice-199

Virus Type: File Infector (.COM files)

Virus Length: 199 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for an uninfected .COM file in the current directory and, when it finds one, infects it. Ice-199 infects only one file each time.

Damage: None

Detection Method: Infected file length will increase by 199 bytes.

Note:
1) Doesn't stay resident in memory.
2) ICE-199 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Ice 250

Virus Name: Ice-250

Virus Type: File Infector Virus (infects .COM files.)

Virus Length: 250 bytes

PC Vectors Hooked: None

Executing Procedure: Ice-250 searches the current directory for a .COM file it hasn't infected and, if it finds one, infects it. It infects only one file each time.

Damage: None

Detection Method: Infected files will increase by 250 bytes.

Note:
1) Doesn't stay resident in memory. 2) ICE-250 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Ice 224

Virus Name: Ice-224

Virus Type: Virus File Infector (.COM files.)

Virus Length: 224 bytes

PC Vectors Hooked: None

Executing Procedure:
1) Ice-224 searches the current directory for a .COM file it hasn't infected and, if it finds one, infects it. It infects only one file each time.

Damage: None

Detection Method: Infected file length will increase by 224 bytes.

Note:
1) Doesn't stay resident in memory.
2) ICE-224 doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Itti-B

Virus Name: Itti-B

Virus Type: File Infector (.COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) ITTI-B searches the current directory for a .COM file it hasn't infected and, if it finds one, infects it. It infects only one file each time.
2) Finally, it damages all data on the current disk if none of the .COM files are infected.

Damage:
1) Overwrites the original file, so the length of infected file won't increase.
2) Damages all data on current disk if none of the .COM files are infected.

Note:
1) Doesn't stay resident in memory.
2) ITTI-B doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Itti-A

Virus Name: Itti-A

Virus Type: File Infector (.COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) ITTI-A searches the current directory for a .COM file it hasn't infected and, if it finds one, infects it. It infect only one file each time.
2) When the file is executed the message "EXEC FAILURE" will show up on the screen. 4) It will finally damage all data on current disk if no .COM file is infected.

Damage: 1) Overwrites original file, so the length of infected file won't increase. 2) Damages all data on current disk if no .COM file is infected.

Note: 1) Doesn't stay resident in memory. 2) ITTI-A doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Intrud-B

Virus Name: INTRUD-B

Virus Type: File Infector Virus (infects .EXE files)

Virus Length: 1225 bytes(EXE)


PC Vectors Hooked: None

Executing Procedure: 1) Search for an .EXE file in the current directory. 2) It checks whether it has been infected by Intrud-B. If "Yes", it continues to look for a uninfected .EXE file. 3) It then infects only one file at a time. 4) Following it executes the original file.

Damage: None.

Detection Method: 1)Infected files will increase by 1225 bytes.


Note: 1) Doesn't stay resident in memory. 2) Intrud-B doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


INOK-2372

Virus Name: INOK-2372

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 2372 bytes.

PC Vectors Hooked: None

Executing Procedure: 1) When the virus is executed , the following two functions are selected at random. a) It searches for a .COM file in the current directory. Then it checks whether it has been infected by INOK-2372. If "Yes", it continues to look for another uninfected .COM file. It only infects one file at a time. Then it executes the original file. b) Creates a file named "ICONKIN.COM" in the current directory, then it executes the file. When the file is executed, a window appears on the screen until you press a key, and after while the window appears again.

Damage: None.

Detection Method: 1) Infected files will increase 2372 bytes. 2) If a window appears.

Note: 1) Doesn't stay resident in memory. 2) INOK-2372 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).


Invol-1

Virus Name: INVOL-1

Virus Type: EXE & SYS and File Infector.

Virus Length: 1350/60 bytes(EXE), 2720 bytes( SYS)

PC Vectors Hooked: INT 21h.

Executing Procedure:
EXE File: 1) The virus searches for the first .COMmand of "C:\CONFIG.SYS", if the .COMmand is *.*=xxxx.yyy the the virus will infect the file. 2) Then it finishes executing the original file. 3) The file infects when an uninfected program is executed.
SYS File: 1) Hooks INT 21h and loads resident memory 2) Executes the original file.

Damage: Checks whether it is 20th of the month, if "Yes", then it destroys all hard disk data.

Detection Method: Infected .EXE files increase by 1350 bytes, SYS files increase by 2720 bytes.

Note: 1) INVOL-1 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).


Icelandic

Virus Name: Icelandic

Other names: Saratoga

Virus Type: File Infector Virus

Virus Length: .EXE 642 bytes

Executing Procedure: 1) The virus checks whether it is already loaded resident in memory. If "No", it then loads itself into resident memory by hooking INT 21h. 2) It then executes the original file. 3) Once it's loaded into resident memory it will infect any uninfected file that is executed. b) It doesn't infect .COM files.

Damage: Infected .EXE files increase by 642 bytes.

Note: 1) The virus loads itself resident in memory. It doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Inok-2371

Virus Name: Inok-2371

Virus Type: Parasitic Virus.

Virus Length: Infected .COM file sizes increase by 2372 bytes (Does not infect EXE files).

PC Vectors Hooked: None

Executing Procedure: Randomly does one of the following: 1) Searches for an uninfected .COM file in the current directory. Infects the file if there is one (infects only one file each time), and/or executes the host program. 2) Creates a file named ICONKIN.COM in the current directory and then runs it. (It will not infect any files. It will display a small window repeatedly until a key is pressed. And, the small window will show up after a period of time. While the small window shows up on the screen, everything will be forced to wait.)

Infecting Procedure: 1) The virus Infects files by AH=4B in INT 21h. When an uninfected progran is excuted, it will get infected. 2) Lycee will hook INT 24h before infecting files to ignore I/O errors.

Damage: Refer to Excuting Procedure 2).

Detection Method: 1) Detectable if the small window mentioned in Executing Procedure 2) appears 2) Detectable if the files increase by 2372 bytes.

Remarks: 1) Non memory resident. 2) When infecting files, the virus does not hook INT 24h. An error message will appear when I/O errors occur.


Ice-159

Virus Name: Ice-159

Virus Type: Parasitic Virus.

Virus Length: Infected .COM file sizes increase by 159 bytes (Does not infect EXE files).

PC Vectors Hooked: None

Executing Procedure: 1) Searches for a .COM file in the current directory. 2) Checks if the file is infected. If yes, continues to search. 3) If an uninfected file is found, proceeds to infect it (infects only one file each time).

Damage: None

Detection Method: Detectable if the files increase by 159 bytes.

Remarks: 1) Non memory resident. 2) When infecting files, the virus doesn't hook INT 24h when infecting files. An error message appears if an I/O error (such as write protect) occurs.


Infector

Virus Name: Infector

Virus Type: .COM File infector

Virus Length: 820-830 bytes

Executing Procedure: Searches for an uninfected .COM file on current directory, and then proceeds to infect it (It only infects one file at a time.)

Damage: None

Note: 1) Most infected files cannot be executed due to the poor quality of virus procedure.
2) Does not stay in memory.
3) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 820 to 830 bytes.


Irish-3

Virus Name: Irish-3

Virus Type: .COM File infector

Virus Length: 1164 bytes

Executing Procedure: Checks whether it is residing in memory. If not, it will stay resident in high memory. Then hooks INT 21h, INT 1Ch and goes back to the original routine.

Vectors hooked: Hooks INT 21H (AH=4Bh) to infect files. It will check whether the program to be executed is an uninfected .COM file. If it is, virus proceeds to infect it. If it is an uninfected EXE file, then virus creates a new .COM file (with length between 2000 and 4000 bytes) with the same file name as original EXE file. This new .COM file is the virus.

Damage: None

Note: 1) If current date is November 21, it will count time by hook INT 08h. After a few minutes, It will display the following message:

"Virus V2.0 (c) 1991 Necros The Hacher
Written on 29,30 June....................................
...................."
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 1164 bytes.


Invisible Man

Virus Name: INVISIBLE MAN

Virus Type: Virus infects .COM and .EXE files, Partition record, and the Boot record. Virus is a Memory Block Resident.

Virus Length: 2926 bytes on file and D80h bytes in memory.

Interrupt Vectors Hooked: INT 21h

Infection Process: This virus can spread by executing an infected program or by booting the system from an infected Disk. There are several different methods of infection:

(1). When an INVISIBLE MAN infected program is executed it will;

A. Infect the hard disk partition table :

(i) Write the virus body to the last 7 sectors of the active hard disk.

(ii) The ending location of the active hard disk will be decreased by 7
sectors.

(iii) Write the virus loader to the partiton sector. This sector will be
encrypted.

B. Modify the boot sector:
It will change the total sector numbers message, which will be seven less
than the original figure.


Damage: Virus displays message and plays music on system speaker.

Symptoms: Loss of data stored in the last 7 sectors of the hard disk; increased file sizes. File sizes increase by 2926 bytes. Virus displays the following message:
"I'm the invisible man,
I'm the invisible man,
Incredible how you can
See right through me."
Virus also plays music on system speaker.

Note:


Ill


Virus Name: Ill

Virus Type: .COM File infector

Virus Length: 1016 bytes

Executing Procedure: Virus searches for an uninfected .COM file on current directory, then infects it. It only infects one file at a time.

Damage: None

Note: 1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 1016 bytes.


Iero-512-560


Virus Name: Iero-512-560

Virus Type: .COM File infector

Virus Length: 512 or 560 bytes

Executing Procedure: Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine.

Vectors hooked:
Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected .COM file, virus proceeds to infect it.

Hooks INT 08h to check current time at all times. At some random point in time, it will display the following message:

"Mulier pulchr aest janua diab oli , ..
via iniq uitatis, scorpion is percussio. .St. Ieronim.."

Damage: None

Note: 1) You will see an error message when writing because INT 24h has not been hanged.
2) It will decrease memory size by 1 while virus is residing in memory (You can see this when using MEM.EXE)

Detection Method: Infected file size increases by 512 or 560 bytes.


Iernim


Virus Name: Iernim

Virus Type: .COM File infector

Virus Length: 570 or 600 bytes

Executing Procedure: Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine.

Vectors hooked:
Hooks INT 21H (AH=4Bh) to infect files. If the program to be executed is an uninfected .COM file, virus proceeds to infect it.

Hooks INT 08h to check current time at all times. At some random point in time, it will display the following message:

"Mulier pulchra est janua diaboli , ..
via iniquitatis, scorpionis percussio . .St. Ieronim.."

Damage: None

Note: 1) You will see an error message when writing because INT 24h has not been hanged.
2) It will decrease memory size by 1 while virus is residing in memory (You can see this when using MEM.EXE)

Detection Method: Infected file size increases by 570 or 600 bytes.


I-B


Virus Name: I-B

Virus Type: .COM File infector

Virus Length:

Executing Procedure: Virus searches for all uninfected .COM files on all directory, and infects them. No matter whether it has infected a file or not, this virus will check whether current day is Monday. If it is, virus proceeds to destroy all data on hard diskette.

Damage: 1) It will sometimes destroy all data on hard diskette.
2) It will overwrite original files with a virus code. Original files are destroyed.

Note: 1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.


In83-584


Virus Name: In83-584

Virus Type: .COM File infector

Virus Length: 584 bytes

Executing Procedure: Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. Then hooks INT 21h and goes back to original routine.

Vectors hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected .COM file, virus proceeds to infect it.

Damage: None

Detection Method: Infected file size increases by 584 bytes.


Istanbul-2

Virus Type : File Virus

Virus Length :

Virus Reinfect Type :doesn't reinfect

Place of Origin :

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus first gets the kernel of the host which is COMMAND.COM, then finds where the carrier of the virus is. Then it changes the attributes of the carrier, opens the file, returns 5h as the file handle, moves the file pointer, then closes the file handle. Then it sets the file attributes of the carrier and forces a duplicate handle which was not successful. Then it only displays the strings:

"This file is infected with a virus!
Preinfection file size = 10,000".