Jericho Virus
Virus Name: Jericho
Aliases: Dark Avenger.Jericho
V Status: New
Discovered: September, 1993
Symptoms: .COM & .EXE growth;
decrease in total system & available free memory
Origin: Calgary, Alberta, Canada
Eff Length: 1,365 - 1,379 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, IBMAV, Sweep, PCScan,
AVTK, NAV, NAVDX, VAlert, ChAV,
NProt, NShld, Sweep/N, AVTK/N, IBMAV/N, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The Jericho virus was submitted in September, 1993, and appears to
be from the Calgary area of Canada. Jericho is a memory resident
infector of .COM and .EXE programs, including COMMAND.COM.
When the first Jericho infected program is executed, the Jericho
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, not moving interrupt 12's
return. Total system and available free memory, as indicated by
the DOS CHKDSK program, will have decreased by 2,832 bytes.
Interrupts 21 and 27 will be hooked by Jericho in memory.
Once the Jericho virus is memory resident, it will infect .COM and
.EXE programs, including COMMAND.COM, when they are executed or
opened for any reason. Infected .COM programs will have a file
length increase of 1,365 bytes while .EXE programs will increase in
size by 1,365 to 1,379 bytes. In both cases, the virus will be
located at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. The following
text strings are visible within the viral code in all Jericho
infected programs:
"JERICHO by Eurystheus