Jerusalem, Israeli


The Jerusalem virus is one of the oldest and most common viruses around. As a result there are numerous variants of it. It will infect both .EXE and .COM files, but the first version of the virus contained a bug, which caused it to infect .EXE files over and over, until they became too large for the computer.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support


Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Jerusalem activates on every Friday the 13th, deleting programs run on that day. 30 minutes after an infected program is run, the virus will also cause a general slowdown of the computer and make a part of the screen scroll up two lines. This has been disabled in some variants of the virus, which makes them much harder to detect.

Variant:Suriv 3.00

This probably the original version of the virus, but it produces the side-effects described above 30 seconds after an infected program was run, which made it much easier to detect.


This variant is reported to become active on Jan. 1. 2000 and then display the following text:

Welcome to the 21st Century

The programmer does not seem to have known that the 21st century does not start until a year later. This variant may well be a myth - no virus researcher has a copy of it.


Instead of activating on Friday the 13th, Sunday will activate if the current day of the week is Sunday and display the message:

Today is SunDay! Why do you work so hard?

 All work and no play make you a dull boy!

 Come on! Let's go out and have some fun!

Apart from this the viruses are very similar. A second variant, Sunday-2 is also known, containing some minor changes.

Variant:1361, 1600, 1767, A-204, Anarkia, Apocalypse, Barcelona, Captain Trips, Carfield, CNDER, Clipper, Count, Discom, IRA, Mendoza, Messina, Miky, Mummy, Nemesis, Nov 30., Payday, Phenome PSQR, Pipi, Puerto, Spanish, Sub-Zero, T13, Timor, Triple, Virus #2, Westwood

Some of these variants are only different in minor ways - different activation dates and other minor changes. Sometimes the changes only involve the reordering of a few instructions, perhaps to prevent the virus from being detected by some virus scanning program.


Danube variant is a multipartition virus that contaminates both COM and EXE files and disk boot sectors. The operating method of the virus varies depending on whether the infection is contracted from a contaminated program or a boot sector.

When a contaminated program is executed, the virus remains in memory as a TSR (Terminate and Stay Resident). It reserves five kilobytes of memory for itself.

The presence of the virus can be detected with the DOS's MEM /C command, which reports that the executed program has remained in memory like a normal TSR. After this, all executed COM and EXE files but COMMAND.COM are contaminated. During the execution the virus also checks the boot sector of the disk in question. If it has not been infected, the virus writes its code there, too. When a computer is booted from an infected disk (either a diskette or a hard disk), the virus goes resident in memory even before DOS is loaded. The virus reduces the amount of DOS base memory by five kilobytes. This can be verified with, for example, the commands MEM and CHKDSK. When infecting a disk, the virus reserves five sectors altogether for its own use - the location of these sectors depends on the size of the disk.

The virus also contains some bugs. It cannot, for example, infect 360-kilobyte diskettes correctly. Besides this the virus corrupts command line parameters given to a program.

The corruption of parameters is common to file viruses, and it occurs because the viruses neglect to transfer the Disk Transfer Area (DTA) out of the Program Segment Prefix (PSP), in which it's located by default. PSP normally contains the parameters given from the command line. They are overwritten when the virus initiates its disk operations. If parameters given to a program do not seem to reach it, it should give reason to check the computer for viruses.

Jerusalem.AntiCAD.4096.Danube is, at any rate, an example of the viral evolution - it contains only a fraction of the original Jerusalem virus. The first version of Jerusalem was written as early as 1986.

Variant:Frere Jacques, Groen Links, Kylie

These variants have been reported to play a tune when they activate, but this seems to be a misunderstanding in the case of the Groen Links virus.


This very small variant (only 878 bytes long) seems only able to infect .EXE files


An encrypted, 2228 byte variant.


Jerusalem.GP1 virus captures Novell NetWare login packets that contain the users password and broadcasts this password to a particular node.

This technique does not work under Novell versions 2.x and newer.


This variant originates from Hong Kong and contains a reference to 'Vtech', which is the technical university in Hong Kong. The J variant of Jerusalem also originates from Hong Kong.