Jerusalem (computer virus) explained

Fullname:Jerusalem
Common Name:Jerusalem
Classification:Unknown
Type:Computer virus
Oses:DOS

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987.[1] On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM.[2] COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

The virus code itself hooks into interrupt processing and other low-level DOS services. For example, code in the virus suppresses the printing of console messages if, say, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".

The Jerusalem virus is unique among other viruses of the time, as it is a logic bomb, set to go off on Friday the 13th on all years but 1987 (making its first activation date 13 May 1988).[3] Once triggered, the virus not only deletes any program run that day,[4] but also infects .EXE files repeatedly until they grow too large for the computer.[5] This particular feature, which was not included in all of Jerusalem's variants, is triggered 30 minutes after the system is infected, significantly slows down the infected computer, thus allowing for easier detection.[6] Jerusalem is also known as "BlackBox" because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. Thirty minutes after the virus is activated, this rectangle scrolls up two lines.

As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself, though the slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.

Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell NetWare and other networking implementations required to hook into the file system.

Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.

Aliases

Variants

See also

External links

Notes and References

  1. News: מבט לאחור: הווירוס הישראלי הראשון. 2006-02-02. ynet. he. 2019-03-10. שלומי . רועי .
  2. Web site: Jerusalem. ESET. 9 February 2013.
  3. Web site: Episode 35 - The Jerusalem Virus - Malicious Life Podcast. Malicious Life. 2019-03-10.
  4. Web site: Jerusalem,1808. https://web.archive.org/web/20190403174512/https://www.symantec.com/security-center/writeup/2000-121416-4146-99https://www.symantec.com/security-center/writeup/2000-121416-4146-99. dead. April 3, 2019. Symantec. 2019-03-10.
  5. Web site: Jerusalem Description F-Secure Labs. www.f-secure.com. en. 2019-03-10.
  6. Web site: JERUSALEM - Threat Encyclopedia - Trend Micro US. www.trendmicro.com. 2019-03-27.
  7. Web site: Chapter 6 Lehigh/ Jerusalem. DaBoss. 2013-02-27. Computer Knowledge. en-US. 2019-03-10.
  8. Web site: Online VSUM - Jerusalem Virus. wiw.org. 2019-03-27.
  9. Web site: Online VSUM - 1720 Virus. wiw.org. 2019-03-27.
  10. Web site: Online VSUM - Frere Jacques Virus. wiw.org. 2019-03-27.
  11. Web site: Online VSUM - Westwood Virus. wiw.org. 2019-03-27.
  12. Web site: Online VSUM - Jerusalem 11-30 Virus. wiw.org. 2019-03-27.
  13. Web site: Online VSUM - Growing Block Virus. wiw.org. 2019-03-27.
  14. Web site: JERUSALEM-10 - Threat Encyclopedia - Trend Micro US. www.trendmicro.com. 2019-03-27.
  15. Web site: Online VSUM - Jerusalem 1767 Virus. wiw.org. 2019-03-27.
  16. Web site: Online VSUM - Jerusalem 1663 Virus. wiw.org. 2019-03-27.
  17. Web site: Online VSUM - Jerusalem-Haifa Virus. wiw.org. 2019-03-27.