HAYES@CUA.BITNET (Tom) (05/30/90)
Bad News :-(
We have discovered Jerusalem B on many of our micros. This is the first
recorded occurence here, but you should be wary of diskettes/files which
may be coming to you from our site. The infection "seems" to have been
confined to two of our four "Users' Areas" so we have probably caught it
before *much* spreading.
__________________________
\ Tom Hayes / Academic Computing Services
\ Bitnet: "hayes@cua" / The Catholic University of America
\____________________/ ~ ~ ~
MATZ'S MAXIM: A conclusion is the place where you got tired of thinking.
~~~~~~ ~~~~~
PERSELWEIG'S SECOND LAW: Whatever goes around, comes around.
Internet: "hayes%cuavax.dnet@netcon.cua.edu"
Zip net: "c/o C.U.A. Computer Center, Washington D.C. 20064
"
Disclaimer: Don't you believe it.nolan@uunet.UU.NET (09/25/90)
Last week I discovered the Jerusalem B virus on one of our PCs. It had only infected 7 files (around 30 times). I had run SCAN on that system on Aug 13th, so it arrived after that. I didn't find it on either of the other PC's, eliminated it from the infected system, and installed VSHIELD on all three PCs. The following afternoon, my assistant copied SCAN and CLEAN to a diskette that had previously been used only for transferring data files between PCs. After the 'copy' commands were done, he SCANned the diskette, and it had Jerusalem B on it. The copy was done from a system supposedly protected with VSHIELD. The system from which the copies were made is clean, according to SCAN. Can Jerusalem B infect data files, or is there something else on a 3 1/2 inch floppy that can contain Jerusalem B? At this point, the infected diskette contains only the 4 files that were copied to it last Thursday. - ------------------------------------------------------------------------------ Mike Nolan "To err is human, to forgive Tailored Software Services, Inc. is divine, to procrastinate is, Lincoln, Nebraska (402) 423-1490 um, can I get back to you on that?" UUCP: tssi!nolan (feed site changed, dsndata!tssi!nolan might be better) INTERNET: nolan@pythia.unl.edu (only if the other address doesn't work)
JXA5@MARISTB.BITNET (John A. Councill) (09/30/90)
I am the Technical Assistant for the Computer Center at Bard College, a small liberal arts institution in upstate New York. Right now we have an exclusively IBM PC based, non-networked facility for student use (due to change soon...). Being a low tech school with 95% of usage being word processing, and not much outside software being brought into the center, we have not had any virus problems until very recently. About two weeks ago, the Jerusalem B virus found its way onto one of our center's WordPerfect v4.2 disks. This version of WordPerfect refused to run with the infection. We cleaned off the disks by recopying them from masters. Then, on Friday (9/28) we discovered Jerusalem B again on three disks-- WP v4.2, WP v5.0, and a Turbo Pascal v2.0 . Very irritating... but what concerns me is the amount of infection and the behavior of the virus with WP v5.0 and the Turbo Pascal. Both of these programs were invokable, and the behavior upon invocation was different than with WP v4.2. With WP v4.2 it scanned both disk drives (presumably for other disks to infect), loaded itself into memory, infected the resident portion of DOS, and then tried to run WP. With the other two programs, however, the virus exhibited none of the above activity. Here are some specific questions: 1) What is the behavior of Jerusalem B? Does it do anything vile other than infect all of the .COM and .EXE files that it can find (or so I thought, see #2 below...)? (e.g. will it wait for the next partial lunar eclipse in Iceland and then erase all data and display three leaping purple frogs on the screen...) 2) There were five .COM files on the Turbo Pascal v2.0 disk that it infected: TURBO.COM, TURBO-87.COM, FORMAT.COM, TINST.COM, and COMMAND.COM. It only infected TURBO.COM, with two infections each. Does Jerusalem B only infect programs that are invoked from the command prompt while it is in memory? Or is it supposed to infect all COM and .EXE files that it finds? 3) Under what conditions does a multiple infection occur (one executable file found to have multiple copies of the virus in it)? 4) Are there many versions of Jerusalem B out in the world, making the above questions inappropriate and/or difficult to answer? Thanks. Any tips, thoughts, or info on this will be most appreciated. John A. Councill | JXA5@MARISTB Technical Assistant | on Henderson Computer Resources Center | BITNET Bard College, Annandale-on-Hudson NY |
dtroup@uunet.UU.NET (David C. Troup) (09/30/90)
We've got a Jerusalem viral infection and it seems to be a little
worse than I thought. The viral (identified as "JERU" by SCAN)
seems to get at the FATable. Is this normal activity for this viral?
Could someone PLEASE send me *ALL* the information about the Jerusalem
viral (B) that is out there. Please mail to dtroup@carroll1.cc.edu
since I get on the NET very few times a week, but I get to my mailbox
alot. This is a priority, 'cause I work in a major hospital and this
little bugger is into our nurse stations, patient PC's and other
areas.
Thanks, David.
- --
David C. Troup |"Im going to work at an office
dtroup@carroll1.cc.edu | that has no phone, and
| returning home with sandy
The Surf Rat - DC 12 on Neil Pryde and Seatrend | feet."RADAI@HUJIVMS.BITNET (Y. Radai) (10/08/90)
John Councill asks several questions about the Jerusalem B virus. Although all of them have been answered on VIRUS-L before, I guess there are enough new readers to warrant posting the answers here again: >... behavior of the virus with WP v5.0 and the Turbo Pascal. Both of >these programs were invokable, and the behavior upon invocation was >different than with WP v4.2. With WP v4.2 it scanned both disk drives >(presumably for other disks to infect), loaded itself into memory, >infected the resident portion of DOS, and then tried to run WP. With >the other two programs, however, the virus exhibited none of the above >activity. The behavior with WP 4.2 is anomalous since the length of this file as reported in the EXE header is less than its actual length. As a result, the virus overwrites part of the file instead of appending itself to it, meaning that no disinfectant utility can restore WP 4.2 after it has been infected by this virus. BTW, the scanning of disk drives which you report was not being done by the virus, but by WP 4.2. (I think the part of it which is in me- mory is looking for additional code in the file, and finding that the file is corrupt, it starts looking for it on other disks. Or some- thing like that.) >1) What is the behavior of Jerusalem B? Does it do anything vile >other than infect all of the .COM and .EXE files that it can find (or >so I thought, see #2 below...)? If it gets into memory when the system date is a Friday the 13th, it will cause any file which is executed to be deleted. On any other date, after it has been in memory for 30 minutes, it will cause all activity to be slowed down and a rectangular region of the screen to be scrolled up by two lines. >2) ... Does Jerusalem B only infect programs that are invoked from the >command prompt while it is in memory? Or is it supposed to infect all >.COM and .EXE files that it finds? It infects all executable program files invoked while it is in memory, except COMMAND.COM. >3) Under what conditions does a multiple infection occur (one >executable file found to have multiple copies of the virus in it)? Whenever the file is an EXE file. >4) Are there many versions of Jerusalem B out in the world, making the >above questions inappropriate and/or difficult to answer? The total number of versions of the Jerusalem which have been reported is well over 10, but only the original version (what McAfee calls "Jerusalem-B" for some obscure reason) is very common. The multiple- infection bug has been removed in most of the later versions, and the slowdown and scrollup have been removed in some of them. Some ver- sions are much more destructive than the original. I might add that some of the information on this virus given in Patricia Hoffman's VSUMxxxx file is inaccurate, particularly the claims that it can survive a warm reboot and that the slowdown is by a factor of 10. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET
RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) (10/12/90)
> This version of WordPerfect refused to run with the infection. That has been known to VIRUS-L readers for a year or so. I've sent you a copy of Y. Radai's original poster of 15 Jun 89 14:46:58 +0300. > With WP v4.2 it scanned both disk drives (presumably for other disks > to infect), ... Probably to find a clean copy of WP4.2 to load, as WP's self-consistency check had failed. > What is the behavior of Jerusalem B? I've sent you our ISRAELI PCMEMO file which contains info on the various Israeli strains (thanks to Virus Test Center, Hamburg, and other sources). > Does Jerusalem B only infect programs that are invoked from the > command prompt while it is in memory? It infects all programs invoked via the pertinent system function (i.e. either from the command prompt or internally from another program). > Under what conditions does a multiple infection occur? EXEC files are infected multiply (bug|), COM files just once. > Thanks. You're welcome Otto Stolz
JIMS@SERVAX.BITNET (Jim Schenk) (11/07/90)
Does anyone out there have any information on the Jerusalem B virus? A student recently brought in an infected file and I'd like to know how it spreads, what damage it causes, etc., to try to prevent it from spreading further. Thanks in advance. Jim Schenk Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu