CTDONATH%SUNRISE.BITNET@VMA.CC.CMU.EDU (10/18/89)
Can anyone give details about what the Jerusalem Virus does? It's floating around a PS/2 cluster here, and I want to know how dangerous it really is. It seems to delete files one at a time on Friday 13, becomes memory resident, slows down the system slightly, and occasionally puts a black spot on the screen. I would like details without having to dissect a copy of it...
ST7751%SIUCVMB.BITNET@VMA.CC.CMU.EDU (Chris Beckenbach) (11/09/89)
The Jerusalem virus has turned up here at Southern Illinois
University, also. From dissecting a copy of the virus, and an article
in the February 15, 1989 edition of Datamation ("The Virus Cure", by
John McAffe, Pp. 29-40), the Jerusalem virus (called the Israeli virus
in the Datamation article) does the following:
When an infected .EXE or .COM file is loaded and run, the Jerusalem
virus checks to see if it is already resident in the computer. If
not, it sets itself up to intercept DOS INT 21h, then proceeds to run
the infected program normally. Whenever a call is made to INT 21h to
execute a program (function 4Bh), the virus will append itself to the
program file on the disk and set itself up as the entry point for that
program. This adds 1808 bytes of length to the file, but does not
change the time/date stamp. If the disk is write-protected, no error
will be given, and the file will not be infected. The copy of the
virus that I have been looking at infects .EXE files multiple times
(the Datamation article says that this is a bug that has been "fixed"
by hackers in other versions), so usually the major problem with this
virus will be that it will waste memory and disk space. John McAfee's
article also says that this multiple infection does not occur with
COM files, but I have not verified this. The most serious aspect of
this virus is that when the system date is Friday the 13th (except
when the year is 1987--this virus was first discovered in 1987, so
this was probably written in to give it time to spread) any call to
execute a .COM or .EXE file will result in the file's being deleted
from the disk.
I have been informed that Flushot will take the virus out of infected
programs, so if you have the virus and Flushot, you might want to try
this.
Hope this has been of help.
Chris Beckenbach ST7751@SIUCVMB
Computer Science major Southern Illinois University
Carbondale, Illinois
"I think, therefore I think I am--I think."millernw@clutx.clarkson.edu (Neal Miller) (01/16/91)
We're having a minor epidemic of a Jerusalem strain at Clarkson U., and even though the CLEAN##.EXE program tries to remove it, it keeps popping up! Any ideas/info on the JERU strains? E-mail/post... I'll get it... Much Thanks - ------------------------------------------------------------------------------ Neal Miller | "Why not go mad?" | millernw@clutx.clarkson.edu Clarkson University | - Ford Prefect | millernw@clutx.bitnet - ------------------------------------------------------------------------------