Type File virus
Date Discovered 1989.06
Place of Origin Iceland
Source Language Assembly
Platform DOS
File Type(s) .exe
Infection Length 656-671 bytes
Reported Costs

Icelandic is an early .exe infector. It is the first virus that only infects .exe files on DOS and is incapable of infecting .com files.


Icelandic arrives onto a computer in an infected .exe file. When the file is executed, it checks if it is already in memory, and if it is not, the virus becomes memory resident. The virus modifies memory blocks to hide itself, which may cause the computer to crash if a program tries to write to this area.

It checks as files are run and infects every tenth executable. When a clean .exe file is run, the virus infects it, appending its code to the end of the file. If the file has the "read only" attribute, Icelandic removes it.

If the computer's hard drive is larger than 10 megabytes, Icelandic selects an unused entry in the FAT and marks it as bad. It does this every time a file is infected.


Icelandic.632- This variant infects one program after two programs are run. It marks one cluster as bad on Hard Disks larger than 20 megabytes.

Icelandic.B- This variant does nothing but spread itself. It contains a few changes in its code that make it difficult for some virus scanners to detect.

Icelandic.Jol- This 848-byte variant displays the message "Gledileg jol" (Merry Christmas in Icelandic) if an infected program is run on December 24. This variant is itself a subvariant of Icelandic.B.

Icelandic.Mix1- This variant was first discovered in Israel. It is 1,618 to 1,636 bytes long. It causes characters going to serial devices (such as printers) to be garbled. While it is definitely an Icelandic variant, it contains some code from the PingPong virus.

Icelandic.Saratoga- There is a 50% chance that this 642-byte variant will infect a file when it is run.


Icelandic was named before there were any naming standards with regard to viruses. "Icelandic" refers to the location that it was isolated, putting it in violation of most of those standards. Many antivirus products had the name grandfather-claused in however, and the name stuck. In its native Iceland, it was known as "Diskaetuvirus", meaning "Disk-eating virus". Friðrik Skúlason suggests the name "One-in-ten", since the virus infects every tenth file run. The Icelandic family is sometimes named Mix1 or some variant on this as some antivirus conditions consider Mix1 the original.


Fridrik Skulason. University of Iceland, Computing Services, Reports collected and collated by PC-Virus Index. 1989.09.20

-. -, -, THE ICELANDIC "DISK-CRUNCHING" VIRUS (Commented Assembly Code).

-. -, -, THE MIX1 virus (Commented Assembly Code).

Yuval Tal, Ori Berger. MIX1 Virus. 1989.12.19

F-Secure Antivirus. F-Secure Virus Descriptions, MIX1.

-. -, Icelandic.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License