Sunday (computer virus)

Sunday
Common name	Sunday
Technical name	Jerusalem.Sunday
Aliases	Jerusalem.Sunday
Family	Jerusalem
Classification	Virus
Type	DOS
Subtype	DOS file infector
Isolation	November 1989
Point of isolation	Seattle, Washington, United States
Point of origin	Unknown
Author(s)	Unknown

Last updated September 16, 2021

Sunday is a computer virus (program file virus) , a member of the Jerusalem virus family. It was discovered in November 1989^[1] after a number of simultaneous reports from Seattle, Washington, United States, and surrounding areas. Several other Seattle outbreaks, including AirCop, were later traced to Asia.

Infection

Sunday is a standard patched Jerusalem variant in the way it infects files. It is a type of program file virus. It is a directly modified version of the original Jerusalem.1803. It infects .EXE, .COM, and .OVL files. Like the original Jerusalem, infected files occasionally become corrupted.

Symptoms

Sunday is less easily identified than the original Jerusalem, in part because of corrected errors and in part because its payload is poorly written and fails to execute.

COM and EXE files increase by size. COM files increase by a set amount, while EXE files increase by somewhere between that amount and 9 or 10 bytes less. Unlike the original Jerusalem, files will not be infected many times.
Interrupt 21 will be hooked.
Infected files will contain the string "Today is SunDay! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!"

The capitalization of "Sunday" is reported variously as "Sunday" or "SunDay", and may depend on the variant.

Because of an error in coding, the virus fails to execute its payload, intended to set off on Sundays of every year other than 1989. This is to print the previously indicated text on the screen and then delete all files run while the virus is memory resident, as the original Jerusalem did every Friday the 13th.

Prevalence

The WildList, an organisation tracking computer viruses, listed Sunday as spreading in various forms from shortly after the list was started until 1998.^[2] Like all DOS viruses, Sunday suffered with the debut of Windows. It is now considered obsolete, although the virus was common enough that the use of previously dormant files has resulted in recent infections. However, anything other than a localised outbreak is unlikely.^{[ citation needed ]}

Related Research Articles

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

CIH (computer virus) Windows 9x computer virus

CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus which first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives, and in some cases destroying the system BIOS. The virus was created by Chen Ing-hau who was a student at Tatung University in Taiwan. Sixty million computers were believed to be infected by the virus internationally, resulting in an estimated US$1 billion in commercial damages.

mydoom also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest-spreading e-mail worm ever, exceeding previous records set by the Sobig worm and ILOVEYOU, a record which as of 2021 has yet to be surpassed.

Acid is a computer virus which infects .COM and .EXE files including command.com. Each time an infected file is executed, Acid infects all of the .EXE files in the current directory. Later, if an infected file is executed, it infects the .COM files in the current directory. Programs infected with Acid will have had the first 792 bytes of the host program overwritten with Acid's own code. There will be no file length increase unless the original host program was smaller than 792 bytes, in which case it will become 792 bytes in length. The program's date and time in the DOS disk directory listing will not be altered.

AIDS is a computer virus written in Turbo Pascal 3.01a which overwrites COM files. AIDS is the first virus known to exploit the MS-DOS "corresponding file" vulnerability. In MS-DOS, if both foo.com and foo.exe exist, then foo.com will always be executed first. Thus, by creating infected com files, AIDS code will always be executed before the intended exe code.

ABC, discovered in October 1992, is a memory-resident, file-infecting computer virus which infects EXE files and may alter both COM and EXE files. ABC activates on the 13th day of every month.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, Los Angeles, California. The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run.

Scott's Valley [sic] is a computer virus, a member of the Slow virus family and distantly related to the Jerusalem virus family. It was discovered in September 1990 in Scotts Valley, California.

Alabama is a computer virus, discovered October 1989 on the campus of Hebrew University in Jerusalem ,Israel.

Ontario is a family of computer virus, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.

Form was a boot sector virus isolated in Switzerland in the summer of 1990 which became very common worldwide. The origin of Form is widely listed as Switzerland, but this may be an assumption based on its isolation locale. The only notable characteristics of Form are that it infects the boot sector instead of the Master Boot Record (MBR) and the clicking noises associated with some infections. Infections under Form can result in severe data damage if operating system characteristics are not identical to those Form assumes.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

4k is a computer virus which infects COM files and EXE files. The virus was one of the first to employ stealth tactics. Infected systems will hang, after September 22 every year, which is also the date of birth of Bilbo Baggins, a character from The Lord of the Rings. The code was intended to display the message Frodo Lives, but hangs in all known variants.

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

ANTI is a computer virus affecting Apple Macintosh computers running classic Mac OS versions up to System 6. It was the first Macintosh virus not to create additional resources within infected files; instead, it patches existing CODE resources.

References

↑ "Sunday Virus". VSUM. Retrieved 14 February 2013.
↑ "The WildList Organization International". www.wildlist.org. Retrieved 2021-09-15.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Sunday Virus". VSUM. Retrieved 14 February 2013.

[2] "The WildList Organization International". www.wildlist.org. Retrieved 2021-09-15.

[1]

[2]