ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ MIX1 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: MIX/1 Date of Origin: First reported on August 22, 1989. Place of Origin: First detected in Israel. May have been written elsewhere. Host Machine: PC compatibles. Host Files: Remains resident. Infects EXE files larger than 8K only in one version, 16K in another version. OnScreen Symptoms: You will see a bouncing ball after a crash, which will occur after the sixth infection. (A variant will not crash the system.) Increase in Size of Infected Files: 1618 bytes. Nature of Damage: Affects system run-time operation. Corrupts program or overlay files. Detected by: Scanv37+, F-Prot, IBM Scan, Pro-Scan. Removed by: CleanUp, Scan/D, Virus Buster, or F-Prot. Derived from: Icelandic-1. Scan Code: "MIX1" will be the last four bytes of any infected EXE. MIX1 is a variant of the Icelandic-1 virus, like the Saratoga. The Icelandic virus was first detected in June, 1989, disassembled a week later, and the disassembly was made available around the beginning of July. The MIX1 virus appeared on several BBSs in Israel on August 22, and may have been written in any country, and then sent via modem to Israeli boards. The virus is put at the end of the .EXE file and the header is changed to point to the virus. Infected files can be manually identified by a characteristic "MIX1" always being the last 4 bytes of an infected file. Using Debug, if byte 0:33C equals 77h, then the MIX1 virus is in memory. EXE file execution through interrupt 21h service 4bh triggers the virus. The infected .EXE files grow by 1618-1634 bytes, depending on its original size. It will not infect files smaller than 8K. Once an infected program is run, the virus occupies 2,048 bytes of memory. Some peculiarities include: * All output through vectors 14h and 17h -- the serial and parallel ports -- is garbled. * The NumLock key/light stays on. * After the 6th infection, booting may crash the computer due to a bug, and a bouncing ball may appear on the monitor. * Memory allocation is done through direct MCB control. * It does not allocate stack space, and therefore makes some files unusable. * It infects only files which are bigger than 16K, which makes disassembly very hard. The modifications to Icelandic I appear to be intended to fool virus detection programs. The changes include replacing instructions with other equivalent ones. For example, XOR AX,AX has been replaced with: MOV AX,0000 and MOV ES,AX has been replaced with: PUSH AX POP ES Also, NOP instructions have been inserted in several places, including inside the identification strings used by VIRUSCAN and most other similar programs. This seems to be a response by virus writers to anti-virus programs that look for infection by using identification strings. This method has been used in the '286 variant of the Ping-Pong virus. Apart from these changes, parts of the virus are almost identical to other variants of the Icelandic virus. In the installation part, the code to check INT 13 has been removed (as in Saratoga and Icelandic-2). In a variant, the infection routine has been modified to infect every file (instead of every tenth program run), and to not infect a program unless it is at least 16K long. A variant of the virus will not crash the system. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253