ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Jerusalem Virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Israeli, Friday the 13th, Black Hole, Black Box, PLO, 1808 (EXE), 1813 (COM), sUMsDos, Russian. Date of Origin: December 24, 1987 (date first detected in Israel). Place of Origin: Israel. Host Machine: PC compatibles. Host Files: Remains resident. Infects COM, EXE, overlay files. Increase in Size of Infected Files: 1808 bytes for EXE files (usually), 1813 bytes for COM files. Nature of Damage: Affects system run-time operation. Corrupts program or overlay files. Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan. Removed by: CleanUp, UNVIRUS, IMMUNE, M-J, Scan/D/A, Saturday, F-Prot. Derived from: Suriv03 Scan Code: 8E D0 BC 00 07 50 B8 C5 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06 39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0. You can also search at offset 095H for FC B4 E0 CD 21 80 FC E0 73 16. History: The Jerusalem virus was first discovered at the Hebrew University in Jerusalem on December 24, 1987, and reported to the virus research community by Y. Radai of the Hebrew University of Jerusalem. My personal suspicion is that the virus was written by a Palestinian, or other enemy of Israel, and planted within Israel. Israel was declared an independent state on May 14, 1948. Friday, May 13, 1988 would have been 40 years in which Palestine was no longer sovereign. Although it was detected in late 1987, it contained code to prevent it from going off until May 13, 1988. Other viruses set to go off on Friday the 13th are likely copy-cats, whose authors simply thought that Friday the 13th was unlucky, wanted a trigger date, and thought this would do fine. Operation: This virus is a memory resident infector. Any "clean program" run after an infected program is run will become infected. Both COM and EXE files are infected. The virus occurs attached to the beginning of a COM file, or the end of an EXE file. A COM file also has the five-byte marker attached to the end. This marker is usually (but not always) "MsDos", and is preceeded in the virus by "sU". "sUMsDos" is not usually found in newer varieties of this virus. COM files increase in length by 1813 bytes. EXE files usually increase by 1808 bytes, but the displacement at which to write the virus is taken from the length in the EXE header and not the actual length. This means that part or all of this 1808 bytes may be overwritten on the end of the host program. It becomes memory-resident when the first infected program is run, and it will then infect every program run except COMMAND.COM. COM files are infected once only, EXE files are re-infected each time they are run. Interrupt 8 is redirected. After the system has been infected for thirty minutes (by running an infected program), an area of the screen from row 5 column 5 to row 16 column 16 is scrolled up two lines creating a black two line "window". From this point a time-wasting loop is executed with each timer interrupt, slowing the system down by a factor of 10. If the system was infected with a system date of Friday the thirteenth, every program run will be deleted instead. This will continue irrespective of the system date until the machine is rebooted. The end of the virus, from offset 0600H, is rubbish and will vary from sample to sample. Jerusalem contains a flaw which makes it re-infect EXE (but not COM) files over and over (up to five times or until the file becomes too big to fit into memory, whichever comes first.) The names 1808 and 1813 come from the fact that files grow by 1808 or 1813 bytes, without changing their date and time or read/write/hidden attributes. COMMAND.COM does not grow, to help it avoid detection. In fact, it seems likely that the disk version of COMMAND.COM is not modified, but that the in-memory copy of COMMAND.COM is modified when an infected program is run. The virus causes some intentional damage: * there is code in the virus for deleting each program that you run on every Friday 13th. On January 13 (Friday), 1989, this virus made a shambles of hundreds of PC-compatibles in Britain * The virus re-directs interrupt 8 (among others) and one-half hour after an infected program loads, the new timer interrupt introduces a delay which slows down the processor by a factor of 10. (see figure). It is difficult to estimate the total dollar value of damage done by this virus to date. In just one case, reported in the Israeli newspaper Maariv, it destroyed $15,000 worth of software and two disks in which 7,000 hours of work had been invested. Disinfection can be a complex process. UNVIRUS will easily eradicate this virus and 5-6 others as well. IMMUNE will prevent further infection. Alternatively, shareware programs written by Dave Chamber and distributed through bulletin boards under the name M-J may be used. M-J removes the virus from hard disks; M-JFA removes the virus from floppy disks that are inserted into the system's A drive; M-JFB removes the virus from floppy disks that are inserted into the system's B drive. Alternatively, here is the process for removal: * power down the system. * Boot from a write-protected, clean system master diskette. * Delete all of the infected programs as indicated by VIRUSCAN. * Replace the programs from original write-protected program distribution diskettes. * Do not execute any program from the infected hard disk until the disinfection process is complete. * After cleaning all hard drives in the infected system, all floppies that have come into contact with the system should be SCANned and disinfected in the same manner. Another means of detection: using PCtools or another text search utility, search for the ASCII string "sUMsDos". This string is present in all copies of this particular virus strain. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253