Jerusalem (computer virus)
Encyclopedia
Jerusalem is a DOS
virus first detected in Jerusalem, Israel
, in October 1987. On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM
. .COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.
The virus
code itself hooks into interrupt
processing and other low level DOS
services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk
. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name
" as "Bad Command or file name".
The program contains one destructive payload that is set to go off on Friday the 13th
, all years but 1987. On that date, the virus deletes every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.
Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows
, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.
-specific virus attempts to gather passwords from the NetWare DOS shell in memory upon user login, which it then broadcasts to a specific socket number on the network where a companion program can recover them.
On each Sunday the virus displays one of the following messages during 30 minute intervals.
The variant is intended to delete every program as it is run. Software bug
s prevent this from happening.
Sunday has several variants.
and the nine sectors after the MBR. The virus uses "PQSR" as its self-recognition code.
Westwood causes files to grow by 1,829 bytes. If the virus is memory-resident, Westwood deletes any file run during Friday the 13th
.
once per minute. A variant called Two Tigers plays the same tune.
If the year is any year other than 1990 and the day is a Friday on or after the 15th, if a program is run, Jerusalem-Captain Trip creates an empty file with the same name as the program. On several other dates it installs a routine in the timer tick that activates when 15 minutes pass. On the 16th Jerusalem-Captain Trip re-programs the video controller. Jerusalem-Captain Trip has several errors.
After the virus is loaded into memory, when 45 minutes pass or when 4,096 keystrokes are entered, Jerusalem-Yellow creates a large yellow box with a shadow in the middle of the screen and the computer hangs.
If the virus is memory-resident and the day is Monday, the computer will display the string "Carfield!" every 42 seconds.
For all other years a flag is set if the virus is memory resident and if the floppy disk
motor count is 25. The flag will be set if a program is run from a floppy disk.
If the flag is set, every program which runs is deleted.
If the flag is not set and 30 minutes passes, the cursor is changed to a block. After one hour, Caps Lock, Nums Lock, and Scroll Lock are switched to "Off".
DOS
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
virus first detected in Jerusalem, Israel
Israel
The State of Israel is a parliamentary republic located in the Middle East, along the eastern shore of the Mediterranean Sea...
, in October 1987. On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM
COMMAND.COM
COMMAND.COM is the filename of the default operating system shell for DOS operating systems and the default command line interpreter on Windows 95, Windows 98 and Windows Me...
. .COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.
The virus
Virus
A virus is a small infectious agent that can replicate only inside the living cells of organisms. Viruses infect all types of organisms, from animals and plants to bacteria and archaea...
code itself hooks into interrupt
Interrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
processing and other low level DOS
DOS
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk
Floppy disk
A floppy disk is a disk storage medium composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic carrier lined with fabric that removes dust particles...
. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name
Bad command or file name
"Bad command or file name" is a common error message in Microsoft's MS-DOS and some other operating systems.In command.com, the message Bad command or file name is produced if the user mistyped the first word of a command line. This first word must be either the name of built-in "command", or of an...
" as "Bad Command or file name".
The program contains one destructive payload that is set to go off on Friday the 13th
Friday the 13th
Friday the 13th occurs when the thirteenth day of a month falls on a Friday, which superstition holds to be a day of bad luck. In the Gregorian calendar, this day occurs at least once, but at most three times a year...
, all years but 1987. On that date, the virus deletes every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.
Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.
Aliases
- 1808(EXE)
- 1813(COM)
- ArabStar
- BlackBox
- BlackWindow
- Friday13th (Note: The name can also refer to two viruses that are unrelated to Jerusalem: Friday-13th-440/Omega and Virus-B)
- HebrewUniversity
- Israeli
- PLO
- Russian
Get Password 1 (GP1)
Discovered in 1991 this Novell NetWareNovell NetWare
NetWare is a network operating system developed by Novell, Inc. It initially used cooperative multitasking to run various services on a personal computer, with network protocols based on the archetypal Xerox Network Systems stack....
-specific virus attempts to gather passwords from the NetWare DOS shell in memory upon user login, which it then broadcasts to a specific socket number on the network where a companion program can recover them.
Suriv viruses
The Suriv viruses are earlier, more primitive versions of Jerusalem. Suriv 1 and 2 triggers on April 1 while Suriv 3 triggers on Friday 13, switching off the computer on the 13th.Sunday (Jeru-Sunday)
Files infected by Sunday grow by 1,636 bytes.On each Sunday the virus displays one of the following messages during 30 minute intervals.
- Today is SunDay! Why do you work so hard?
- All work and no play make you a dull boy!
- Come on ! Let's go out and have some fun!
The variant is intended to delete every program as it is run. Software bug
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
s prevent this from happening.
Sunday has several variants.
- Sunday.a - The version described above.
- Sunday.b - A version of Sunday which has a working program-deleting function.
- Sunday.1.b - Like Sunday.b, except that a bug regarding the Critical Error Handler, which causes problems on write-protected disks, has been fixed.
- Sunday.1.d - Like Sunday.1.a, except the same bug is fixed in a different way.
- Sunday.1.Tenseconds - Like Sunday.a, except the delay for the messages is now 10 seconds. In addition, the test for Sunday is correctly set for day 0 (zero0 (number)0 is both a numberand the numerical digit used to represent that number in numerals.It fulfills a central role in mathematics as the additive identity of the integers, real numbers, and many other algebraic structures. As a digit, 0 is used as a placeholder in place value systems...
) instead of 7 (seven). - Sunday.2 - Like Sunday.1.a, except files grow by 1,733 bytes.
Anarkia
Anarkia is almost identical to the original Jerusalem. It uses the self-recognition code "Anarkia".PQSR
PQSR causes infected files to grow by 1,720 bytes. On the 13th of any month, the virus deletes any program run on the PC. Garbage is written to the master boot recordMaster boot record
A master boot record is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk...
and the nine sectors after the MBR. The virus uses "PQSR" as its self-recognition code.
Jeruspain (Jeru-Spanish)
If the virus is memory-resident, Jeruspain will delete any program run on the 26th of any month.Westwood (Jerusalem-Westwood)
See Westwood (computer virus)Westwood (computer virus)
Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, California.The virus was isolated by a UCLA engineering student who discovered it in a copyof the "speed.com" program distributed with a new motherboard...
Westwood causes files to grow by 1,829 bytes. If the virus is memory-resident, Westwood deletes any file run during Friday the 13th
Friday the 13th
Friday the 13th occurs when the thirteenth day of a month falls on a Friday, which superstition holds to be a day of bad luck. In the Gregorian calendar, this day occurs at least once, but at most three times a year...
.
Jerusalem-113
Programs will not run during Saturdays. The virus avoids PHENOME.COM instead of COMMAND.COM, and therefore infects COMMAND.COM.Jerusalem-Apocalypse
Jerusalem-Apocalypse contains the text "Apocalypse!!". If the virus is memory-resident, it will delete any file on Friday the 13th.Jerusalem-T13
The virus causes .COM and .EXE files to grow by 1,812 bytes. If the virus is memory-resident, it will delete any program run on Tuesday the 13th.Jerusalem-Sat13
If the virus is memory-resident, it will delete any program run on Saturday the 13th.Jerusalem-Czech
If the virus is memory-resident, it will delete any program run on Friday the 13th. Jerusalem-Czech has a self-recognition code and a code placement that differ from the original Jerusalem.Jerusalem-Frère.2
Jerusalem-Frère plays Frère JacquesFrère Jacques
"Frère Jacques" , in English sometimes called "Brother John" or "Brother Peter", is a French nursery melody. The song is traditionally sung in a round. When the first singer reaches the end of the first line the next person starts at the beginning...
once per minute. A variant called Two Tigers plays the same tune.
Jerusalem-Nemesis
The virus avoids NEMESIS.COM instead of COMMAND.COM, and therefore infects COMMAND.COM. Jerusalem-Nemesis contains the string "NEMESIS.COM".Jerusalem-Captain Trip
Jerusalem-Captain Trip contains the strings "Captain Trips" and "SPITFIRE".If the year is any year other than 1990 and the day is a Friday on or after the 15th, if a program is run, Jerusalem-Captain Trip creates an empty file with the same name as the program. On several other dates it installs a routine in the timer tick that activates when 15 minutes pass. On the 16th Jerusalem-Captain Trip re-programs the video controller. Jerusalem-Captain Trip has several errors.
Jerusalem-J
The variant causes .COM files to grow by 1,237 bytes. .EXE files grow by about 1,232 bytes. The virus has no "Jerusalem effects."Jerusalem-Yellow
Jerusalem-Yellow does not infect .EXE files. All files infected grow by 1,363 bytes apiece.After the virus is loaded into memory, when 45 minutes pass or when 4,096 keystrokes are entered, Jerusalem-Yellow creates a large yellow box with a shadow in the middle of the screen and the computer hangs.
Jerusalem-Jan25
If the virus is memory-resident, it will delete any program run on January the 25th.Friday-15th (Skism)
Friday-15th causes infected files to grow by 1,813 bytes. If the virus is memory-resident and a program is run on Friday the 15th, the virus will create a new file with the same name as the program.Carfield (Jeru-Carfield)
The virus causes infected files to grow by 1,508 bytes.If the virus is memory-resident and the day is Monday, the computer will display the string "Carfield!" every 42 seconds.
Mendoza (Jerusalem Mendoza)
The virus does nothing if the year is 1980 or 1989.For all other years a flag is set if the virus is memory resident and if the floppy disk
Floppy disk
A floppy disk is a disk storage medium composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic carrier lined with fabric that removes dust particles...
motor count is 25. The flag will be set if a program is run from a floppy disk.
If the flag is set, every program which runs is deleted.
If the flag is not set and 30 minutes passes, the cursor is changed to a block. After one hour, Caps Lock, Nums Lock, and Scroll Lock are switched to "Off".
Other variants
- Jerusalem.1244
- Jerusalem.1808.Standard
- Jerusalem.Mummy.1364.a
- Standard.SuMsdos
- Standard.Var
- Standard.AA33CCDDEE
- Standard.UMsDos
- Standard.null
- Standard.Nocommand
- Jan25
- a
- Anarkia.2
- Puerto
- Spanish
- Messina
- ffd
- 1af
- Critical
- Flag_ee,
- *a204*
- Frère2
- Frère3
- 2e7
- Not13
- b0f
- Phenomen
- 52f
- 7c01
- 6d46
- JVT1
- J
- Friday15
- 3503
- Feb-7th
- Nov30
- sUMFDos
- SKISM
- 5a4
- 65d6
- BSA
- Dragon.
- Lee Morton's Lover
See also
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...
- Westwood (computer virus)Westwood (computer virus)Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, California.The virus was isolated by a UCLA engineering student who discovered it in a copyof the "speed.com" program distributed with a new motherboard...