Jerusalem (computer virus)
| Jerusalem | |
|---|---|
| Surname | Jerusalem |
| Aliases | Israeli, PLO |
| Known since | 1987 |
| First location | Israel |
| Virus type | File virus |
| Authors | Unknown |
| File size | 1,813 bytes |
| Host files | Exe and Com |
| Polymorph | No |
| Stealth | No |
| Memory resident | Yes |
| system | MS-DOS |
| info | The system file COMMAND.COM is not infected |
Jerusalem is a computer virus that was first discovered in the Israeli part of the city of Jerusalem in October 1987 . Once infected , it becomes memory resident and infects all .COM and .EXE files except COMMAND.COM . COM files become 1,813 bytes longer after infection and will not be re-infected. .EXE files get 1,808 to 1,823 bytes larger with each infection and are re-infected until they can no longer be loaded into memory. Sometimes .EXE files are not infected correctly, causing these programs to crash once they are run.
The code itself digs into interrupt processing and other DOS services, for example the virus deletes the output of console messages if, for example, the virus was unable to infect a file on a read-only medium such as a floppy disk . One of the clues that the computer is infected is the misspelling of the familiar “Bad command or file name” message as “Bad Command or file name”.
The virus contains a destructive and a non-destructive damage part. The destructive damage part is designed to activate every Friday the 13th except in 1987. On this date, the virus will delete all program files.
In the non-destructive part of the damage, the virus reduces the speed of PC-XT systems to around a fifth of their normal performance 30 minutes after infection by inserting a loop after each timer interrupt. The virus also creates a 'black window' by moving line 5, column 5 to line 16, column 16 two lines up on the screen.
Jerusalem was initially very common and a large number of variants emerged. Since the advent of Windows , the DOS interrupts that Jerusalem uses are no longer used, so Jerusalem and its variants disappeared very quickly.
Aliases
- 1808 (EXE)
- 1813 (COM)
- ArabStar
- Black box
- BlackWindow
- Friday13th (This name can also refer to two other viruses unrelated to Jerusalem: Firday-13th-440 / Omega and Virus-B)
- HebrewUniversity
- Israeli
- PLO
- Russian
variants
Get Password 1 (GP1)
This Novell NetWare -specific virus, discovered in 1991, tries to collect passwords from the NetWare DOS shell, which it then sends to a specific socket on the network where a utility program can read them.
Surive viruses
The Suriv Viruses are earlier, more primitive versions of Jerusalem. Suriv 1 and 2 trigger on April 1st, Suriv 3 on Friday the 13th.
Sunday (Jeru-Sunday)
Files infected by Sunday grow by 1,636 bytes.
Every Sunday the virus displays one of these texts every 30 minutes.
- Today is SunDay! Why do you work so hard?
- All work and no play make you a dull boy!
- Come on ! Let's go out and have some fun!
The variant was designed to delete all programs, but program errors prevented this.
Sunday has different variants.
- Sunday.a - The version described above.
- Sunday.b - A version of Sunday with a working routine to delete the programs.
- Sunday.1.Tenseconds - Like Sunday.a, but the interval between the messages is now 10 seconds.
PQSR
PQSR makes infected files grow by 1,720 bytes. On the 13th of each month, the virus deletes any programs on the PC. The master boot record and the nine sectors after the MBR are overwritten. The virus uses "PQSR" as a self-recognition code.
Jeruspain (Jeru-Spanish)
When the virus becomes memory resident, it will delete all programs on the 26th of each month.
Brother
Brother plays Brother Jacques on Fridays or the 13th of the month.
Jerusalem-113
Programs don't run on Saturdays. The virus leaves PHENOME.COM out of the infection, but infects COMMAND.COM instead
Jerusalem Apocalypse
Jerusalem Apocalypse contains the text “Apocalypse !!”. When the virus becomes memory-resident, it will delete any program that runs on Friday the 13th.
Jerusalem T1
When the virus becomes memory-resident, it will delete every executable file on Tuesday the 1st.
Jerusalem Brother. 2
Jerusalem Brother plays Brother Jacques once a minute. A variant called Two Tigers plays the same piece.
Jerusalem nemesis
The virus omits NEMESIS.COM instead of COMMAND.COM and infects COMMAND.COM instead. Jerusalem-Nemesis contains the string “NEMESIS.COM”.
Jerusalem Captain Trip
Jerusalem-Captain Trip contains the strings “Captain Trips” and “SPITFIRE”.
If the year is not 1990 and the day is Friday or a day after the 15th and a program is running, Jerusalem-Captain Trip creates an empty file with the program name. On various other dates, it installs a routine in the timer tick that is activated after 15 minutes. On the 16th, Jerusalem-Captain Trip reprograms the video controller. Jerusalem-Captain Trip has several flaws.
Jerusalem Yellow
Jerusalem-Yellow does not infect any .EXE files. All infected files become 1,363 bytes longer.
45 minutes or 4,096 keystrokes after the virus loads into memory, Jerusalem-Yellow creates a large yellow rectangle with a shadow in the center of the screen and the computer hangs.
Mendoza (Jerusalem Mendoza)
The virus did nothing in 1989 and 1990.
In all other years a flag is set if the virus is memory resident and the position of the diskette motor is 25. The flag is set when a program is executed from a floppy disk.
When the flag is set, any program that is running is cleared.
If the flag is not set, the cursor becomes a block after 30 minutes. After one hour, Caps Lock, Num Lock and Scroll Lock are switched off.
Other variants
- Jerusalem. 1244
- Jerusalem. 1808. Standard
- Jerusalem.Mummy.1364.a
- Standard.SuMsdos
- Standard.Var
- Standard.AA33CCDDEE
- Standard.UMsDos
- Standard.zero
- Standard.Nocommand
- Jan25
- a
- Anarkia. 2
- Puerto
- Spanish
- Messina
- ffd
- 1af
- Critical
- Flag_ee,
- * a204 *
- Brother2
- Brother3
- 2e7
- Emergency13
- b0f
- Phenomena
- 52f
- 7c01
- 6d46
- JVT1
- J
- Friday15
- 3503
- Feb-7th
- Nov30
- sUMFDos
- SKISM
- 5a4
- 65d6
- BSA
- Dragon.
- Lee Morton's lover