Jerusalem (computer virus)

Last updated
Jerusalem
Alias
  • Arab Star
  • Friday 13th
  • Israeli
Type Computer virus
ClassificationUnknown
Technical details
Platform DOS

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. [1] On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM. [2] COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

Contents

The virus code itself hooks into interrupt processing and other low-level DOS services. For example, code in the virus suppresses the printing of console messages if, say, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".

The Jerusalem virus is unique among other viruses of the time, as it is a logic bomb, set to go off on Friday the 13th on all years but 1987 (making its first activation date 13 May 1988). [3] Once triggered, the virus not only deletes any program run that day, [4] but also infects .EXE files repeatedly until they grow too large for the computer. [5] This particular feature, which was not included in all of Jerusalem's variants, is triggered 30 minutes after the system is infected, significantly slows down the infected computer, thus allowing for easier detection. [5] [6] Jerusalem is also known as "BlackBox" because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. Thirty minutes after the virus is activated, this rectangle scrolls up two lines. [5]

As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself, though the slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.

Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell NetWare and other networking implementations required to hook into the file system.

Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.

Aliases

Variants

See also

Related Research Articles

In computer science, self-modifying code is code that alters its own instructions while it is executing – usually to reduce the instruction path length and improve performance or simply to reduce otherwise repetitively similar code, thus simplifying maintenance. The term is usually only applied to code where the self-modification is intentional, not in situations where code accidentally modifies itself due to an error such as a buffer overflow.

<span class="mw-page-title-main">COM file</span> Type of simple executable file

A COM file is a type of simple executable file. On the Digital Equipment Corporation (DEC) VAX operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system. With the introduction of Digital Research's CP/M, the type of files commonly associated with COM extension changed to that of executable files. This convention was later carried over to DOS. Even when complemented by the more general EXE file format for executables, the compact COM files remained viable and frequently used under DOS.

Abraxas, also known as Abraxas5, discovered in April 1993, is an encrypted, overwriting, file infecting computer virus which infects .COM and .EXE files, although it does not infect command.com. It does not become memory resident. Each time an infected file is executed, Abraxas infects the copy of dosshell.com located in the C:\DOS directory, as well as one EXE file in the current directory. Due to a bug in the virus, only the first EXE file in any directory is infected.

Acid is a computer virus which infects .COM and .EXE files including command.com. Each time an infected file is executed, Acid infects all of the .EXE files in the current directory. Later, if an infected file is executed, it infects the .COM files in the current directory. Programs infected with Acid will have had the first 792 bytes of the host program overwritten with Acid's own code. There will be no file length increase unless the original host program was smaller than 792 bytes, in which case it will become 792 bytes in length. The program's date and time in the DOS disk directory listing will not be altered.

Acme is a computer virus which infects MS-DOS EXE files. Each time an infected file is executed, Acme may infect an EXE in the current directory by creating a hidden 247 byte long read-only COM file with the same base name. Acme is a variant of Clonewar, a spawning virus. Acme is also perhaps a descendant of the small single-step infector Zeno, which is not to be confused with the Zeno programming language.

Ada is a computer virus that can affect any of the DOS operating systems. Ada was first discovered in 1991.

<span class="mw-page-title-main">AIDS (computer virus)</span> DOS computer virus

AIDS is a DOS computer virus which overwrites COM files.

Executable compression is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it. In most cases this happens transparently so the compressed executable can be used in exactly the same way as the original. Executable compressors are often referred to as executable packers, runtime packers, software packers, software protectors, or even "polymorphic packers" and "obfuscating tools".

In CP/M-86, Concurrent CP/M-86, Personal CP/M-86, S5-DOS, DOS Plus, Concurrent DOS, FlexOS, Multiuser DOS, System Manager and REAL/32 as well as by SCP1700, CP/K and K8918-OS, CMD is the filename extension used by CP/M-style executable programs. It corresponds to COM in CP/M-80 and EXE in DOS. The same extension is used by the command-line interpreter CMD.EXE in OS/2 and Windows for batch files.

ABC, discovered in October 1992, is a memory-resident, file-infecting computer virus which infects EXE files and may alter both COM and EXE files. ABC activates on the 13th day of every month.

Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine.

The DOS MZ executable format is the executable file format used for .EXE files in DOS.

Scott's Valley [sic] is a computer virus, a member of the Slow virus family and distantly related to the Jerusalem virus family. It was discovered in September 1990 in Scotts Valley, California.

Alabama is a computer virus, discovered in October 1989 on the campus of the Hebrew University of Jerusalem.

Ontario is a family of computer viruses, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

Eliza is a computer virus discovered in December 1991. It infects COM files including COMMAND.COM. It has been reported that it is defective, yet destroys the .EXE files it creates. The .COM files are not deleted. To avoid detection, it does not alter the dates of files it infects, but increases their length by 1,193 or 1,194 bytes. It is also found in later versions of Windows.

5lo is a computer virus that increases file size and does little more than replicate. Size: 1,032 bytes

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

References

  1. 1 2 שלומי, רועי (2006-02-02). "מבט לאחור: הווירוס הישראלי הראשון". ynet (in Hebrew). Retrieved 2019-03-10.
  2. "Jerusalem". ESET. Retrieved 9 February 2013.
  3. 1 2 "Episode 35 - The Jerusalem Virus - Malicious Life Podcast". Malicious Life. Retrieved 2019-03-10.
  4. "Jerusalem,1808". Symantec . Archived from the original on April 3, 2019. Retrieved 2019-03-10.
  5. 1 2 3 4 5 6 7 8 9 10 11 "Jerusalem Description | F-Secure Labs". www.f-secure.com. Retrieved 2019-03-10.
  6. "JERUSALEM - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.
  7. 1 2 3 4 DaBoss (2013-02-27). "Chapter 6 Lehigh/ Jerusalem". Computer Knowledge. Retrieved 2019-03-10.
  8. "Sunday Virus". VSUM. Retrieved 14 February 2013.
  9. "The WildList Organization International". www.wildlist.org. Archived from the original on 2016-12-01. Retrieved 2021-09-15.
  10. 1 2 3 4 5 6 7 8 9 10 "Online VSUM - Jerusalem Virus". wiw.org. Retrieved 2019-03-27.
  11. "Online VSUM - 1720 Virus". wiw.org. Retrieved 2019-03-27.
  12. "Online VSUM - Frere Jacques Virus". wiw.org. Retrieved 2019-03-27.
  13. "Online VSUM - Westwood Virus". wiw.org. Retrieved 2019-03-27.
  14. "Online VSUM - Jerusalem 11-30 Virus". wiw.org. Retrieved 2019-03-27.
  15. "Online VSUM - Growing Block Virus". wiw.org. Retrieved 2019-03-27.
  16. "JERUSALEM-10 - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.
  17. "Online VSUM - Jerusalem 1767 Virus". wiw.org. Retrieved 2019-03-27.
  18. "Online VSUM - Jerusalem 1663 Virus". wiw.org. Retrieved 2019-03-27.
  19. "Online VSUM - Jerusalem-Haifa Virus". wiw.org. Retrieved 2019-03-27.