Jerusalem (computer virus)

Jerusalem
Common name	Jerusalem
Aliases	Arab Star; Friday 13th; Israeli;
Classification	Unknown
Type	Computer virus
Operating system(s) affected	DOS

Last updated April 30, 2024

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987.^[1] On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM.^[2] COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

The virus code itself hooks into interrupt processing and other low-level DOS services. For example, code in the virus suppresses the printing of console messages if, say, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".

The Jerusalem virus is unique among other viruses of the time, as it is a logic bomb, set to go off on Friday the 13th on all years but 1987 (making its first activation date 13 May 1988).^[3] Once triggered, the virus not only deletes any program run that day,^[4] but also infects .EXE files repeatedly until they grow too large for the computer.^[5] This particular feature, which was not included in all of Jerusalem's variants, is triggered 30 minutes after the system is infected, significantly slows down the infected computer, thus allowing for easier detection.^[5]^[6] Jerusalem is also known as "BlackBox" because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. Thirty minutes after the virus is activated, this rectangle scrolls up two lines.^[5]

As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself, though the slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.

Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell NetWare and other networking implementations required to hook into the file system.

Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.

Aliases

1808(EXE), due to the virus's length of 1808 bytes.
1813(COM), due to the virus's length of 1813 bytes.^[7]
Friday13th (Note: The name can also refer to two viruses that are unrelated to Jerusalem: Friday-13th-440/Omega and Virus-B), due to its trigger date of Friday the 13th.
Hebrew University, as it was discovered by students who attended Hebrew University.^[1]
Israeli
PLO, due to a belief that it was created by the Palestine Liberation Organization to mark May 13, 1948, the day before Israel Independence Day, apparently the last day Palestine existed as a country.^[7]
Russian
Saturday 14
sUMsDos, referencing a piece of the virus's code.^[7]

Variants

Get Password 1 (GP1): Discovered in 1991, this Novell NetWare-specific virus attempts to gather passwords from the NetWare DOS shell in memory upon user login, which it then broadcasts to a specific socket number on the network where a companion program can recover them. This virus does not work on Novell 2.x and newer versions.^[5]
Suriv Viruses: Viruses that are earlier, more primitive versions of Jerusalem. The Jerusalem virus is considered to be based on Suriv-3, which is a logic bomb triggered when the date is Friday the 13th, switching off the computer on the 13th. In itself, Suriv-3 is based on its predecessors, Suriv-1 and Suriv-2, which are logic bombs triggered on April 1 (April Fools' Day), showing text reading "April 1, ha ha you have a virus!".^[3] Suriv-1 infects .COM files and Suriv-2 infects .EXE files, while Suriv-3 infects both types of files. The name of these viruses comes from spelling "virus" backwards.^[7]
Sunday (Jeru-Sunday): (Main article: Sunday (computer virus))This virus grows files by 1,636 bytes. The variant is intended to delete every program as it is run every Sunday, but software bugs prevent this from happening. On each Sunday, the virus displays the following message:
Today is SunDay! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!^[5]
Variants of Sunday
- Sunday.a: The original Sunday virus.
- Sunday.b: A version of Sunday which has a functional program-deleting function.
- Sunday.1.b: An improvement upon Sunday.b which fixes a bug regarding the Critical Error Handler, which causes problems on write-protected disks.
- Sunday.1.Tenseconds: A variant on Sunday.a which maintains a 10 second delay between messages and sets Sunday as day 0 instead of day 7.
- Sunday.2: A variant on Sunday.a which grows files by 1,733 bytes instead of the original 1,636 bytes.
Anarkia: Anarkia has a trigger date of Tuesday the 13th and uses the self-recognition code "Anarkia".^[8]
PSQR (1720): PQSR infects .COM and .EXE files, but does not infect overlay files or COMMAND.COM. It causes infected .COM files to grow by 1,720 bytes and .EXE files by 1,719-1,733 bytes. It activates on Friday the 13th, and will delete any file run that day. Garbage is written to the master boot record and the nine sectors after the MBR. The virus uses "PQSR" as its self-recognition code, which is located at the end of the file.^[9]
Frère: Frère plays Frère Jacques on Fridays.^[5] It increases the size of infected .COM files by 1,813 bytes and .EXE files by 1,808-1,822 bytes, but does not infect COMMAND.COM.^[10]
Westwood (Jerusalem-Westwood): Westwood causes files to grow by 1,829 bytes. If the virus is memory-resident, Westwood deletes any file run during Friday the 13th.^[11]
Jerusalem 11-30: This virus infects .COM, .EXE, and overlay files, but not COMMAND.COM. The virus infects programs as they are used, and causes infected .COM files to grow by 2,000 bytes and .EXE files to grow by 2,000-2,014 bytes. However, unlike the original Jerusalem virus, it does not re-infect .EXE files.^[12]
Jerusalem-Apocalypse: Developed in Italy, this virus infects programs as they are executed, and will insert the text "Apocalypse!!" in infected files. It causes infected .COM files to grow by 1,813 bytes and .EXE to grow by 1,808-1,822 bytes. It can re-infect .EXE files, and will increase the size of already infected .EXE files by 1,808 bytes.^[8]
Jerusalem-VT1: If the virus is memory-resident, it will delete any file run on Tuesday the 1st.^[8]
Jerusalem-T13: The virus causes .COM and .EXE files to grow by 1,812 bytes. If the virus is memory-resident, it will delete any program run on Tuesday the 13th.
Jerusalem-Sat13: If the virus is memory-resident, it will delete any program run on Saturday the 13th.
Jerusalem-Czech: The virus infects .COM and .EXE files, but not COMMAND.COM. It causes infected .COM files to grow by 1,735 bytes and .EXE files to grow by 1,735-1,749 bytes. It will not delete programs run on Friday the 13th. Jerusalem-Czech has a self-recognition code and a code placement that differ from the original Jerusalem, and is frequently detected as a Sunday variant.^[8]
Jerusalem-Nemesis: This virus inserts the strings "NEMESIS.COM" and "NOKEY" in infected files.^[8]
Jerusalem-Captain Trips: Jerusalem-Captain Trips contains the strings "Captain Trips" and "SPITFIRE". Captain Trips is the name of the apocalyptic plague described in Stephen King's novel The Stand. If the year is any year other than 1990 and the day is a Friday on or after the 15th, Jerusalem-Captain Trips creates an empty file with the same name as any program run that day. On the 16th Jerusalem-Captain Trip re-programs the video controller, and on several other dates it installs a routine in the timer tick that activates when 15 minutes pass. Jerusalem-Captain Trips has several errors.^[8]
Jerusalem-J: The variant causes .COM files to grow by 1,237 bytes and .EXE files by about 1,232 bytes. The virus has no "Jerusalem effects", and originates from Hong Kong.^[5]
Jerusalem-Yellow (Growing Block): Jerusalem-Yellow infects .EXE and .COM files. Infected .COM files grow by 1,363 bytes and .EXE files grow by 1,361-1,375 bytes. Jerusalem-Yellow creates a large yellow box with a shadow in the middle of the screen and the computer hangs.^[13]
Jerusalem-Jan25: If the virus is memory-resident, it will activate on January 25 and will delete any program run that day. Additionally, it does not re-infect .EXE files.^[8]
Skism: The virus will activate on any Friday after the 15th of the month, and causes infected .COM files to grow by 1,808 bytes and infected .EXE to grow by 1,808-1,822 bytes. Additionally, it can re-infect .EXE files.^[8]
Carfield (Jeru-Carfield): The virus causes infected files to grow by 1,508 bytes. If the virus is memory-resident and the day is Monday, the computer will display the string "Carfield!" every 42 seconds.^[14]
Mendoza (Jerusalem Mendoza): The virus does nothing if the year is 1980 or 1989, but for all other years a flag is set if the virus is memory resident and if the floppy disk motor count is 25. The flag will be set if a program is run from a floppy disk. If the flag is set, every program which runs is deleted. If the flag is not set and 30 minutes passes, the cursor is changed to a block. After one hour, Caps Lock, Nums Lock, and Scroll Lock are switched to "Off". Additionally, it does not re-infect .EXE files.^[8]
Einstein: This is a small variant, only 878 bytes, and infects .EXE files.^[5]
Moctezuma: This variant virus is 2,228 bytes and is encrypted.^[5]
Century: This variant is a logic bomb with trigger date of January 1, 2000 that was supposed to display the message "Welcome to the 21st Century". However, no one is sure as to the legitimacy of the virus, as no one has seen it.^[5]
Danube: The Danube virus is a unique variant of Jerusalem, as it has evolved beyond Jerusalem and only reflects very few parts of it. This virus is a multipartite virus, so it has several methods by which it can infect and spread: disk boot sectors as well as .COM and .EXE files. Because of this, how the virus works is dependent upon the origin of the virus (boot sector or program). When a contaminated program is executed, the virus resides in memory, taking 5 kB. Additionally, it will check if it also resides in the active boot sector and will place a copy of itself there if it was not present before. When a computer is booted from a contaminated boot sector/disk, the virus will place itself in memory before the operating system is even loaded. It reserves 5 kB of DOS base memory, and reserves 5 sectors on any disk it infects.^[5]
HK: This variant of Jerusalem originates from Hong Kong, and references one of Hong Kong's technical schools in its code.^[5]
Jerusalem-1767: This virus infects .EXE and .COM files, and will infect COMMAND.COM if it is executes. It causes .COM files to grow by 1,767 bytes and .EXE to grow by 1,767-1,799 bytes. Infected files include the strings "**INFECTED BY FRIDAY 13th**" or "COMMAND.COM".^[15]
Jerusalem-1663: This virus infects .EXE and .COM files, including COMMAND.COM. Once memory resident, it infects programs as they are run. It causes .COM and .EXE files to grow by 1,663 bytes, but it cannot recognize infected files, so it may re-infect both .COM and .EXE files.^[16]
Jerusalem-Haifa: This virus infects .EXE and .COM files, but not COMMAND.COM. It causes .COM files to grow by 2,178 bytes and .EXE files to grow by 1,960-1,974 bytes. Its name is due to the Hebrew word for Haifa, an Israeli city, being in the virus code.^[17]
Phenome: This virus is similar to the Apocalypse variant, but will infect COMMAND.COM. It only activates on Saturdays, and does not allow the user to execute programs. It features the string "PHENOME.COM" and "MsDos".^[8]

Related Research Articles

A COM file is a type of simple executable file. On the Digital Equipment Corporation (DEC) VAX operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system. With the introduction of Digital Research's CP/M, the type of files commonly associated with COM extension changed to that of executable files. This convention was later carried over to DOS. Even when complemented by the more general EXE file format for executables, the compact COM files remained viable and frequently used under DOS.

Abraxas, also known as Abraxas5, discovered in April 1993, is an encrypted, overwriting, file infecting computer virus which infects .COM and .EXE files, although it does not infect command.com. It does not become memory resident. Each time an infected file is executed, Abraxas infects the copy of dosshell.com located in the C:\DOS directory, as well as one EXE file in the current directory. Due to a bug in the virus, only the first EXE file in any directory is infected.

Acid is a computer virus which infects .COM and .EXE files including command.com. Each time an infected file is executed, Acid infects all of the .EXE files in the current directory. Later, if an infected file is executed, it infects the .COM files in the current directory. Programs infected with Acid will have had the first 792 bytes of the host program overwritten with Acid's own code. There will be no file length increase unless the original host program was smaller than 792 bytes, in which case it will become 792 bytes in length. The program's date and time in the DOS disk directory listing will not be altered.

Acme is a computer virus which infects MS-DOS EXE files. Each time an infected file is executed, Acme may infect an EXE in the current directory by creating a hidden 247 byte long read-only COM file with the same base name. Acme is a variant of Clonewar, a spawning virus. Acme is also perhaps a descendant of the small single-step infector Zeno, which is not to be confused with the Zeno programming language.

Ada is a computer virus that can affect any of the DOS operating systems. Ada was first discovered in 1991.

AIDS is a DOS computer virus which overwrites COM files.

Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it. In most cases this happens transparently so the compressed executable can be used in exactly the same way as the original. Executable compressors are often referred to as executable packers, runtime packers, software packers, software protectors, or even "polymorphic packers" and "obfuscating tools".

ABC, discovered in October 1992, is a memory-resident, file-infecting computer virus which infects EXE files and may alter both COM and EXE files. ABC activates on the 13th day of every month.

The Hare Virus was a destructive computer virus which infected DOS and Windows 95 machines in August 1996. It was also known as Hare.7610, Krsna and HD Euthanasia.

Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, Los Angeles, California. The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run.

Scott's Valley [sic] is a computer virus, a member of the Slow virus family and distantly related to the Jerusalem virus family. It was discovered in September 1990 in Scotts Valley, California.

Sunday is a computer virus, a member of the Jerusalem virus family. It was discovered in November 1989 after a number of simultaneous reports from Seattle, Washington, United States, and surrounding areas. Several other Seattle outbreaks, including AirCop, were later traced to Asia.

Alabama is a computer virus, discovered in October 1989 on the campus of the Hebrew University of Jerusalem.

Ontario is a family of computer viruses, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

OneHalf is a DOS-based polymorphic computer virus discovered in October 1994. It is also known as Slovak Bomber, Freelove or Explosion-II. It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE. However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name.

Eliza is a computer virus discovered in December 1991. It infects COM files including COMMAND.COM. It has been reported that it is defective, yet destroys the .EXE files it creates. The .COM files are not deleted. To avoid detection, it does not alter the dates of files it infects, but increases their length by 1,193 or 1,194 bytes. It is also found in later versions of Windows.

5lo is a computer virus that increases file size and does little more than replicate. Size: 1,032 bytes

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.

References

1 2 שלומי, רועי (2006-02-02). "מבט לאחור: הווירוס הישראלי הראשון". ynet (in Hebrew). Retrieved 2019-03-10.
↑ "Jerusalem". ESET. Retrieved 9 February 2013.
1 2 "Episode 35 - The Jerusalem Virus - Malicious Life Podcast". Malicious Life. Retrieved 2019-03-10.
↑ "Jerusalem,1808". Symantec . Archived from the original on April 3, 2019. Retrieved 2019-03-10.
1 2 3 4 5 6 7 8 9 10 11 12 "Jerusalem Description | F-Secure Labs". www.f-secure.com. Retrieved 2019-03-10.
↑ "JERUSALEM - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.
1 2 3 4 DaBoss (2013-02-27). "Chapter 6 Lehigh/ Jerusalem". Computer Knowledge. Retrieved 2019-03-10.
1 2 3 4 5 6 7 8 9 10 "Online VSUM - Jerusalem Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - 1720 Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - Frere Jacques Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - Westwood Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - Jerusalem 11-30 Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - Growing Block Virus". wiw.org. Retrieved 2019-03-27.
↑ "JERUSALEM-10 - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.
↑ "Online VSUM - Jerusalem 1767 Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - Jerusalem 1663 Virus". wiw.org. Retrieved 2019-03-27.
↑ "Online VSUM - Jerusalem-Haifa Virus". wiw.org. Retrieved 2019-03-27.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 שלומי, רועי (2006-02-02). "מבט לאחור: הווירוס הישראלי הראשון". ynet (in Hebrew). Retrieved 2019-03-10.

[2] "Jerusalem". ESET. Retrieved 9 February 2013.

[:3-3] 1 2 "Episode 35 - The Jerusalem Virus - Malicious Life Podcast". Malicious Life. Retrieved 2019-03-10.

[4] "Jerusalem,1808". Symantec . Archived from the original on April 3, 2019. Retrieved 2019-03-10.

[:1-5] 1 2 3 4 5 6 7 8 9 10 11 12 "Jerusalem Description | F-Secure Labs". www.f-secure.com. Retrieved 2019-03-10.

[6] "JERUSALEM - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.

[:2-7] 1 2 3 4 DaBoss (2013-02-27). "Chapter 6 Lehigh/ Jerusalem". Computer Knowledge. Retrieved 2019-03-10.

[:4-8] 1 2 3 4 5 6 7 8 9 10 "Online VSUM - Jerusalem Virus". wiw.org. Retrieved 2019-03-27.

[9] "Online VSUM - 1720 Virus". wiw.org. Retrieved 2019-03-27.

[10] "Online VSUM - Frere Jacques Virus". wiw.org. Retrieved 2019-03-27.

[11] "Online VSUM - Westwood Virus". wiw.org. Retrieved 2019-03-27.

[12] "Online VSUM - Jerusalem 11-30 Virus". wiw.org. Retrieved 2019-03-27.

[13] "Online VSUM - Growing Block Virus". wiw.org. Retrieved 2019-03-27.

[14] "JERUSALEM-10 - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.

[15] "Online VSUM - Jerusalem 1767 Virus". wiw.org. Retrieved 2019-03-27.

[16] "Online VSUM - Jerusalem 1663 Virus". wiw.org. Retrieved 2019-03-27.

[17] "Online VSUM - Jerusalem-Haifa Virus". wiw.org. Retrieved 2019-03-27.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]