Additional Details
Jerusalem activates on every Friday the 13th, deleting programs run on that
day. 30 minutes after an infected program is run, the virus will also
cause a general slowdown of the computer and make a part of the screen
scroll up two lines. This has been disabled in some variants of the virus,
which makes them much harder to detect.
This probably the original version of the virus, but it produces the
side-effects described above 30 seconds after an infected program was run,
which made it much easier to detect.
This variant is reported to become active on Jan. 1. 2000 and
then display the following text:
Welcome to the 21st Century
The programmer does not seem to have known that the 21st century does not
start until a year later. This variant may well be a myth - no virus
researcher has a copy of it.
Instead of activating on Friday the 13th, Sunday will activate if the
current day of the week is Sunday and display the message:
Today is SunDay! Why do you work so hard?
All work and no play make you a dull boy!
Come on! Let's go out and have some fun!
Apart from this the viruses are very similar. A second variant, Sunday-2
is also known, containing some minor changes.
| VARIANT: | 1361, 1600, 1767, A-204, Anarkia, Apocalypse, Barcelona |
| VARIANT: | Captain Trips, Carfield, CNDER, Clipper, Count, Discom, IRA |
| VARIANT: | Mendoza, Messina, Miky, Mummy, Nemesis, Nov 30., Payday |
| VARIANT: | Phenome PSQR, Pipi, Puerto, Spanish, Sub-Zero, T13, Timor |
| VARIANT: | Triple, Virus #2, Westwood |
Some of these variants are only different in minor ways - different
activation dates and other minor changes. Sometimes the changes only
involve the reordering of a few instructions, perhaps to prevent the virus
from being detected by some virus scanning program.
Danube variant is a multipartition virus that contaminates both COM
and EXE files and disk boot sectors. The operating method of the virus
varies depending on whether the infection is contracted from a
contaminated program or a boot sector.
When a contaminated program is executed, the virus remains in memory as
a TSR (Terminate and Stay Resident). It reserves five kilobytes of
memory for itself.
The presence of the virus can be detected with the DOS's MEM /C command,
which reports that the executed program has remained in memory like a
normal TSR. After this, all executed COM and EXE files but COMMAND.COM
are contaminated. During the execution the virus also checks the boot
sector of the disk in question. If it has not been infected, the virus
writes its code there, too. When a computer is booted from an infected
disk (either a diskette or a hard disk), the virus goes resident in
memory even before DOS is loaded. The virus reduces the amount of DOS
base memory by five kilobytes. This can be verified with, for example,
the commands MEM and CHKDSK. When infecting a disk, the virus reserves
five sectors altogether for its own use - the location of these sectors
depends on the size of the disk.
The virus also contains some bugs. It cannot, for example, infect
360-kilobyte diskettes correctly. Besides this the virus corrupts
command line parameters given to a program.
The corruption of parameters is common to file viruses, and it occurs
because the viruses neglect to transfer the Disk Transfer Area (DTA) out
of the Program Segment Prefix (PSP), in which it's located by default.
PSP normally contains the parameters given from the command line. They
are overwritten when the virus initiates its disk operations. If
parameters given to a program do not seem to reach it, it should give
reason to check the computer for viruses.
Jerusalem.AntiCAD.4096.Danube is, at any rate, an example of the viral
evolution - it contains only a fraction of the original Jerusalem virus.
The first version of Jerusalem was written as early as 1986.
| VARIANT: | Frere Jacques, Groen Links, Kylie |
These variants have been reported to play a tune when they activate, but
this seems to be a misunderstanding in the case of the Groen Links virus.
This very small variant (only 878 bytes long) seems only able to infect
.EXE files
An encrypted, 2228 byte variant.
Jerusalem.GP1 virus captures Novell NetWare login packets that contain
the users password and broadcasts this password to a particular
node.
This technique does not work under Novell versions 2.x and newer.
This variant originates from Hong Kong and contains a reference
to 'Vtech', which is the technical university in Hong Kong.
The J variant of Jerusalem also originates from Hong Kong.