Threat Description

Jerusalem

Details

Aliases: Jerusalem, Israeli
Category: Malware
Type: Virus
Platform: W32

Summary



The Jerusalem virus is one of the oldest and most common viruses around. As a result there are numerous variants of it. It will infect both .EXE and .COM files, but the first version of the virus contained a bug, which caused it to infect .EXE files over and over, until they became too large for the computer.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Jerusalem activates on every Friday the 13th, deleting programs run on that day. 30 minutes after an infected program is run, the virus will also cause a general slowdown of the computer and make a part of the screen scroll up two lines. This has been disabled in some variants of the virus, which makes them much harder to detect.


Variant:Suriv 3.00

This probably the original version of the virus, but it produces the side-effects described above 30 seconds after an infected program was run, which made it much easier to detect.


Variant:Century

This variant is reported to become active on Jan. 1. 2000 and then display the following text:

Welcome to the 21st Century

The programmer does not seem to have known that the 21st century does not start until a year later. This variant may well be a myth - no virus researcher has a copy of it.


Variant:Sunday

Instead of activating on Friday the 13th, Sunday will activate if the current day of the week is Sunday and display the message:

  Today is SunDay! Why do you work so hard?
    All work and no play make you a dull boy!
    Come on! Let's go out and have some fun!

Apart from this the viruses are very similar. A second variant, Sunday-2 is also known, containing some minor changes.


Variant:1361, 1600, 1767, A-204, Anarkia, Apocalypse, Barcelona, Captain Trips, Carfield, CNDER, Clipper, Count, Discom, IRA, Mendoza, Messina, Miky, Mummy, Nemesis, Nov 30., Payday, Phenome PSQR, Pipi, Puerto, Spanish, Sub-Zero, T13, Timor, Triple, Virus #2, Westwood

Some of these variants are only different in minor ways - different activation dates and other minor changes. Sometimes the changes only involve the reordering of a few instructions, perhaps to prevent the virus from being detected by some virus scanning program.


Variant:Danube

Danube variant is a multipartition virus that contaminates both COM and EXE files and disk boot sectors. The operating method of the virus varies depending on whether the infection is contracted from a contaminated program or a boot sector.

When a contaminated program is executed, the virus remains in memory as a TSR (Terminate and Stay Resident). It reserves five kilobytes of memory for itself.

The presence of the virus can be detected with the DOS's MEM /C command, which reports that the executed program has remained in memory like a normal TSR. After this, all executed COM and EXE files but COMMAND.COM are contaminated. During the execution the virus also checks the boot sector of the disk in question. If it has not been infected, the virus writes its code there, too. When a computer is booted from an infected disk (either a diskette or a hard disk), the virus goes resident in memory even before DOS is loaded. The virus reduces the amount of DOS base memory by five kilobytes. This can be verified with, for example, the commands MEM and CHKDSK. When infecting a disk, the virus reserves five sectors altogether for its own use - the location of these sectors depends on the size of the disk.

The virus also contains some bugs. It cannot, for example, infect 360-kilobyte diskettes correctly. Besides this the virus corrupts command line parameters given to a program.

The corruption of parameters is common to file viruses, and it occurs because the viruses neglect to transfer the Disk Transfer Area (DTA) out of the Program Segment Prefix (PSP), in which it's located by default. PSP normally contains the parameters given from the command line. They are overwritten when the virus initiates its disk operations. If parameters given to a program do not seem to reach it, it should give reason to check the computer for viruses.

Jerusalem.AntiCAD.4096.Danube is, at any rate, an example of the viral evolution - it contains only a fraction of the original Jerusalem virus. The first version of Jerusalem was written as early as 1986.


Variant:Frere Jacques, Groen Links, Kylie

These variants have been reported to play a tune when they activate, but this seems to be a misunderstanding in the case of the Groen Links virus.


Variant:Einstein

This very small variant (only 878 bytes long) seems only able to infect .EXE files


Variant:Moctezuma

An encrypted, 2228 byte variant.


Variant:GP1

Jerusalem.GP1 virus captures Novell NetWare login packets that contain the users password and broadcasts this password to a particular node.

This technique does not work under Novell versions 2.x and newer.


Variant:HK

This variant originates from Hong Kong and contains a reference to 'Vtech', which is the technical university in Hong Kong. The J variant of Jerusalem also originates from Hong Kong.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More