Jerusalem (computer virus)

From Wikipedia, the free encyclopedia

Jerusalem is a DOS file virus first detected in Jerusalem, Israel, in October 1987.

Upon infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and would then infect every executable file run, except for COMMAND.COM. .COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the said files are loaded until the files are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

The virus code itself hooked into interrupt processing and other low level DOS services. For example, there was code in the virus to suppress the printing of console messages if, for example, the virus was not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer was infected was the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".

The program contains one destructive payload that is set to go off on Friday the 13th, all other years than 1987. On that date, the virus would delete every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.

As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contained code that entered a processing loop each time the processor's timer tick was activated.

Symptoms also included spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occurred since Jerusalem used the 'interrupt 21h' low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.

Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, interrupts are no longer used, so Jerusalem and its variants have become obsolete.

Contents 1 Aliases 2 Variants 2.1 Suriv viruses 2.2 Sunday (Jeru-Sunday) 2.3 Anarkia 2.4 PQSR 2.5 Jeruspain (Jeru-Spanish) 2.6 Frère 2.7 Westwood (Jerusalem-Westwood) 2.8 Jerusalem-113 2.9 Jerusalem-Apocalypse 2.10 Jerusalem-T1 2.11 Jerusalem-T13 2.12 Jerusalem-Sat13 2.13 Jerusalem-Czech 2.14 Jerusalem-Frère.2 2.15 Jerusalem-Nemesis 2.16 Jerusalem-Captain Trip 2.17 Jerusalem-J 2.18 Jerusalem-Yellow 2.19 Jerusalem-Jan25 2.20 Friday-15th (Skism) 2.21 Carfield (Jeru-Carfield) 2.22 Mendoza (Jerusalem Mendoza) 2.23 Other variants 3 See also 4 References 5 External links

[edit] Aliases

• 1808(EXE)
• 1813(COM)
• ArabStar
• BlackBox
• BlackWindow
• Friday13th (Note: The name can also refer to two viruses that are unrelated to Jerusalem: Friday-13th-440/Omega and Virus-B)
• HebrewUniversity
• Israeli
• PLO
• Russian

[edit] Variants

[edit] Suriv viruses

The Suriv viruses are earlier, more primitive versions of Jerusalem. Suriv 1 and 2 triggers on April 1 while Suriv 3 triggers on Friday 13.

[edit] Sunday (Jeru-Sunday)

Files infected by Sunday grow by 1,636 bytes.

On every Sunday the virus displays one of the following messages during 30 minute intervals.

• Today is SunDay! Why do you work so hard?
• All work and no play make you a dull boy!
• Come on ! Let's go out and have some fun!

The variant is intended to delete every program as it is wrong. Software bugs prevent this from happening.

Sunday has various variants.

• Sunday.a - The version described above.
• Sunday.b - A version of Sunday which has a working program-deleting function.
• Sunday.1.b - Like Sunday.b, except a bug regarding the Critical Error Handler, which causes problems on write-protected disks, has been fixed.
• Sunday.1.d - Like Sunday.1.a, except the same bug is fixed in a different way.
• Sunday.1.Tenseconds - Like Sunday.a, except the delay for the messages is now 10 seconds. In addition, the test for Sunday is correctly set for say 0 (zero) instead of 7 (seven).
• Sunday.2 - Like Sunday.1.a, except files grow by 1,733 bytes instead

[edit] Anarkia

Anarkia is almost identical to the original Jerusalem. It uses the self-recognition code "Anarkia".

[edit] PQSR

PQSR causes infected files to grow by 1,720 bytes. On the 13th of any month, any program run on the PC is deleted by the virus. Garbage is written to the master boot record and the nine sectors after the MBR. The virus uses "PQSR" as its self-recognition code.

[edit] Jeruspain (Jeru-Spanish)

If the virus is memory-resident, Jeruspain will delete any program if the program is run on the 26th of any month.

[edit] Frère

Frère plays Frère Jacques if the day is Friday or the 13th of any month.

[edit] Westwood (Jerusalem-Westwood)

See Westwood (computer virus)

Westwood causes files to grow by 1,829 bytes. If the virus is memory-resident, Westwood deletes any file run during Friday the 13th.

[edit] Jerusalem-113

Programs will not run during Saturdays. The virus avoids PHENOME.COM instead of COMMAND.COM, and therefore infects COMMAND.COM.

[edit] Jerusalem-Apocalypse

Jerusalem-Apocalypse contains the text "Apocalypse!!". On Friday the 13th, if the virus is memory-resident, it will delete any file run.

[edit] Jerusalem-T1

On Tuesday the 1st, if the virus is memory-resident, it will delete any file run.

[edit] Jerusalem-T13

The virus causes .COM and .EXE files to grow by 1,812 bytes. On Tuesday the 13th, if the virus is memory-resident, it will delete any program run.

[edit] Jerusalem-Sat13

On Saturday the 13th, if the virus is memory-resident, it will delete any program run.

[edit] Jerusalem-Czech

On Friday the 13th, if the virus is memory-resident, it will delete any program run. Jerusalem-Czech has a self-recognition code and a code placement that differ from the original Jerusalem.

[edit] Jerusalem-Frère.2

Jerusalem-Frère plays Frère Jacques once per minute. A variant called Two Tigers plays the same tune.

[edit] Jerusalem-Nemesis

The virus avoids NEMESIS.COM instead of COMMAND.COM, and therefore infects COMMAND.COM. Jerusalem-Nemesis contains the string "NEMESIS.COM".

[edit] Jerusalem-Captain Trip

Jerusalem-Captain Trip contains the strings "Captain Trips" and "SPITFIRE".

If the year is any year other than 1990 and the day is a Friday on or after the 15th, if a program is run, Jerusalem-Captain Trip creates an empty file with the same name as the program. On several other dates it installs a routine in the timer tick that activates when 15 minutes pass. On the 16th Jerusalem-Captain Trip re-programs the video controller. Jerusalem-Captain Trip has several errors.

[edit] Jerusalem-J

The variant causes .COM files to grow by 1,237 bytes. .EXE files grow by about 1,232 bytes. The virus has no "Jerusalem effects."

[edit] Jerusalem-Yellow

Jerusalem-Yellow does not infect .EXE files. All files infected grow by 1,363 bytes apiece.

After the virus is loaded into memory, when 45 minutes pass or when 4,096 keystrokes are entered, Jerusalem-Yellow creates a large yellow box with a shadow in the middle of the screen and the computer hangs.

[edit] Jerusalem-Jan25

On January the 25th, if the virus is memory-resident, it will delete any program run.

[edit] Friday-15th (Skism)

Friday-15th causes infected files to grow by 1,813 bytes. On Friday the 15th, if the virus is memory-resident and a program is run, the virus will create a new file with the same name as the program.

[edit] Carfield (Jeru-Carfield)

The virus causes infected files to grow by 1,508 bytes.

If the day is Monday, if the virus is memory-resident, the computer will display the string "Carfield!" every 42 seconds.

[edit] Mendoza (Jerusalem Mendoza)

The virus does nothing if the year is 1980 or 1989.

For all other years, if the virus is memory resident and if the floppy disk motor count is 25, a flag is set. The flag will be set if a program is run from a floppy disk.

If the flag is set, every program which runs is deleted.

If the flag is not set and 30 minutes passes, the cursor is changed to a block. After one hour, Caps Lock, Nums Lock, and Scroll Lock are switched to "Off".

[edit] Other variants

• Jerusalem.1244
• Jerusalem.1808.Standard
• Jerusalem.Mummy.1364.a
• Standard.SuMsdos
• Standard.Var
• Standard.AA33CCDDEE
• Standard.UMsDos
• Standard.null
• Standard.Nocommand
• Jan25
• a
• Anarkia.2
• Puerto
• Spanish
• Messina
• ffd
• 1af
• Critical
• Flag_ee,
  • a204*
• Frère2
• Frère3
• 2e7
• Not13
• b0f
• Phenomen
• 52f
• 7c01
• 6d46
• JVT1
• J
• Friday15
• 3503
• Feb-7th
• Nov30
• sUMFDos
• SKISM
• 5a4
• 65d6
• BSA
• Turkish
• Dragon.

[edit] See also

• Timeline of notable computer viruses and worms
• Westwood (computer virus)

[edit] References

[edit] External links

• Jerusalem's rise and fall, chapter in an IBM virus research report
• Anti-Virus company Sophos description on the Jerusalem virus
• Anti-Virus company Network Associates description on the Jerusalem virus