Jerusalem Virus
Virus Name: Jerusalem
Aliases: PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE),
Arab Star, Black Box, Black Window, Hebrew University
V Status: Common
Discovered: October, 1987
Isolated: Israel
Symptoms: TSR; .EXE & .COM growth; system slowdown; deleted files
on Friday 13th; "black window"
Origin: Italy
Eff Length: 1,808 - 1,822 Bytes
Type Code: PRsA - Parasitic Resident Generic File Infector
Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: F-Prot, NAV, or delete infected files
General Comments:
The Jerusalem virus was originally isolated at Hebrew University in
Israel in the Fall of 1987. As of November, 1991, it is thought to
have now originated in Italy. Jerusalem is a memory resident
generic file infector. Jerusalem viruses will infect .COM, .EXE,
.SYS, .BIN, .PIF, and overlay files when they are executed .EXE
files may be reinfected by the virus each time they are executed due
to a bug in the viral code. The Jerusalem virus has been altered
many times, and many other viruses have been based on its code. The
description below is for a standard Jerusalem virus which reinfects
.EXE files when they are executed. Other variants, or members of
this family, are indicated below.
The first time a program infected with the Jerusalem virus is
executed, the Jerusalem virus will install itself memory resident
as a low system memory TSR of 1,792 bytes. Interrupts 08 and 21
will be hooked by the Jerusalem virus in memory.
Once the Jerusalem virus is memory resident, it will infect programs
other than COMMAND.COM when they are executed. .COM programs will
increase in size by 1,813 bytes with the virus being located at the
beginning of the infected file. .EXE programs will increase in
size by 1,808 to 1,822 bytes with the virus being located at the
end of the infected file. Later, infected .EXE programs will be
reinfected by the virus when they are again executed. Each
reinfection will add an additional 1,808 bytes to the file.
Jerusalem infected programs will have no change to their date and
time in the DOS disk directory.
This virus redirects interrupt 8, and 1/2 hour after execution of the
first infected program the system will slow down by a factor of 10.
Additionally, some Jerusalem virus variants will have a "black
window" or "black box" appear on the lower left side of the screen
which will scroll up the screen as the screen scrolls.
The Jerusalem virus activates after it becomes memory resident on
Friday the 13ths. At that time, it will delete any program the user
attempts to execute.
The identifier for most Jerusalem strains is "sUMsDos", however, this
identifier may not be found in the newer variants of Jerusalem.
The Jerusalem virus is thought to have been based on the Suriv 3.00
virus, though the Suriv 3.00 virus was isolated after the Jerusalem
virus.
Known members(s) of the Jerusalem Family are:
A-204: Jerusalem with the sUMsDos text string changed to *A-204*,
and a couple of instructions changed in order to avoid
detection. This variant will slow down the system after being
memory resident for 30 minutes, as well as having a black box
appear at that time.
Origin: Delft, The Netherlands
Anarkia: Jerusalem with the timer delay set to slow down the
system to a greater degree, though this effect doesn't show
until a much longer time has elapsed. No Black Box is ever
displayed. The sUMsDos id-string has been changed to ANARKIA.
Lastly, the virus's activation date has been changed to Tuesday
the 13th, instead of Friday the 13th.
Origin: Spain
Anarkia-B: Similar to Anarkia, with the exception that the virus
now activates on any October 12th instead of on Tuesday
the 13ths.
Antiviru: Similar to Jerusalem B, the Antiviru virus differs in
that it contains two text strings: "COMMAND.COM" and
"ANTIVIRU". Like Jerusalem, it will display a "black box"
accompanied by a system slowdown 30 minutes after becoming
memory resident. After the virus becomes memory resident on
Friday the 13ths, any program executed will be deleted.
Origin: Unknown January, 1992
Apocalypse: The Apocalypse variant of Jerusalem was received
from Europe in May, 1991. It originated in Italy. This
variant will infect programs as they are executed. .COM
programs will increase in size by 1,813 bytes. .EXE programs
will increase in size by 1,808 to 1,822 bytes with the first
infection, and 1,808 bytes on later reinfections. The MsDos
infection marker in the virus has been altered to "C.J**".
Text strings which can be found in Apocalypse infected files
are:
"Apocalypse!!!"
"COMMAND.COM"
"**C.J**"
The last string is what has replaced the sUMsDos string in the
original virus. Apocalypse will have the characteristic "black
box" appear on the lower left hand side of the screen after it
has been memory resident for 30 minutes. It does not, however,
delete programs on Friday the 13ths.
Origin: Italy May, 1991
Bogota: The Bogota virus was discovered in Bogota, Columbia in
May, 1992. Its low system memory TSR is 2,048+ bytes in size,
hooking interrupts 16 and 21. It adds 1,813 bytes to the .COM
programs it infected. .EXE programs increase in size by 1,808
to 1,822 bytes with the first infection, and 1,808 bytes with
each reinfection. Bogota will occassionally truncate .EXE
programs to zero bytes when they are executed.
Captain Trips: The Captain Trips variant was submitted in March,
1991, and is from the United States. Its name comes from the
text string "Captain Trips X." which occurs within the viral
code. Unlike most Jerusalem variants, this variant does not
display a black window after being memory resident for 30
minutes, nor does it slow down the system. On Friday the
13th, it does not delete programs. The text string "MsDos"
does not occur in infected programs. .COM programs will
increase in size by 1,813 bytes. .EXE programs will increase
in size by 1,808 to 1,822 bytes with the first infection of
the file, and then by 1,808 bytes with subsequent infections.
Origin: United States March, 1991.
Captain Trips 2: Captain Trips 2 was submitted in July, 1991.
It is a variant of the Captain Trips variant which has been
altered to avoid detection. The major difference is that
reinfections of .EXE files have a file length increase of 1,813
bytes.
Origin: United States July, 1991.
Czech: The Czech variant of Jerusalem was received in April,
1992. When the Czech variant becomes memory resident, it
installs a 1,984 byte TSR in memory with interrupts 08, 21,
and F8 being hooked. Once it is memory resident, it will
infect programs other than COMMAND.COM when they are
executed. .COM programs will have a file length increase of
1,735 bytes with the virus being located at the beginning
of the infected file. .EXE programs will increase in size
by 1,735 to 1,749 bytes with the virus being located at the
end of the file. This variant does not reinfect .EXE
programs. After the Czech variant has been memory resident
for 30 minutes, it will display a reverse video box in the
upper left hand corner of the screen which contains the text
"Ha!Ha!". It does not delete programs on Friday The 13ths.
Some anti-viral programs may detect this variant as the
Sunday virus.
Origin: Unknown April, 1992.
Dragon: The Dragon variant of Jerusalem was submitted in
April 1992. This variant is functionally similar to the
original Jerusalem virus described above. It contains the
text string "BDH B T". The MsDos identifier has been
changed to a hex character string. It deletes programs
which are executed after the virus has become memory resident
on Friday The 13ths.
Origin: Unknown April, 1992.
Get Password 1: Get Password 1 is a Jerusalem variant which was
originally discovered in the first half of 1991 in Europe.
This variant's TSR is 1,840 bytes in length. Get Password 1 is
a Novell network specific virus, it won't replicate unless the
Novell Netware drivers are present in memory. The virus was
originally intended to capture the logon information when the
user logs onto the network, however this code does not function
properly and so there is no threat. Get Password 1 is 1,914
bytes in length.
Origin: Europe 1991.
January 25TH: Similar to Jerusalem B, the major difference with
this variant is that it will activate on January 25TH, at which
time it will delete any programs which the user attempts to
execute. January 25TH doesn't reinfect .EXE files. After
being memory resident for 30 minutes, it will have the "black
box" screen effect common to many Jerusalem variants. The
"sUMsDos" text string has also been replaced with hex 00
characters.
January 25TH-B: Functionally equivalent to the January 25TH,
this variant has some slight code modifications.
Origin: Unknown January, 1992.
Jerusalem B: Similar to the original Jerusalem virus, this
variant does not reinfect .EXE files when they are executed.
Origin: Israel January, 1988.
Jerusalem-C: Jerusalem B without the timer delay to slow down the
processor.
Jerusalem-D: Jerusalem C which will destroy both copies of the FAT
on any Friday the 13th after 1990.
Jerusalem DC: Similar to Jerusalem, this variant has the sUMsDos
text string changed to 00h characters. After being memory
resident for 30 minutes, the system will slow down by 30% and
the common "black window" will appear on the lower left side of
the screen. Like Jerusalem, it will infect .EXE files multiple
times. This variant does not carry an activation date when it
will delete files, it appears for all intents to be "defanged".
Origin: Washington, DC, United States
Jerusalem-E: Jerusalem D but the activation is in 1992.
Jerusalem-Polish: Based on the Jerusalem virus described above,
this variant has been altered slightly so that the "black box"
screen effect does not appear.
Origin: Poland October, 1992.
Jerusalem-PLO: Based on the Jerusalem virus described above, this
variant will delete files when they are executed during the
secondd half of the year. It will replicate during the first
half of the year. After the virus has been memory resident
for 30 minutes, a system slowdown will occur, but the
characteristic Jerusalem black box will not appear. The
"sUMsDos" string in the original virus has been changed to
"sU?sDos". Infected .COM files will increase in size by 1,813
bytes. Infected .EXE files increase in size by 1,808 - 1,822
bytes with the first infection, and 1,808 bytes with each
reinfection.
Origin: Unknown November, 1991.
Jerusalem.2389: Based on the Jerusalem-B virus, Jerusalem.2389 is
a 2,389 byte variant. Its memory resident TSR is 2,640 bytes,
and hooks interrupts 1C and 21. It adds 2,389 bytes to the
.COM programs it infects with the virus being located at the
beginning of the file. It adds 2,389 to 2,404 bytes to .EXE
programs with the virus being located at the end of the file.
.EXE programs are reinfected by the virus, adding an additional
2,389 bytes with each reinfection. The following text strings
are visible within the viral code in infected programs:
"COMMAND.COM"
"AYTUBA=19722191!!"
Systems infected with the Jerusalem.2389 virus may find programs
interrupted while they are executed, and a message scrolling on
the system display from right to left in a non-english language.
"NICE FROM FAR FAR FROM NICE" is the only english text within
the scrolling message. This text is encrypted within infected
files.
Origin: Europe? July, 1994.
Jerusalem.Suselfo: Similar to Jerusalem, this variant has the
sUMsDos text string changed to "sUSelFo", as well as having
been altered to avoid detection by some anti-viral utilities.
Origin: Spain March, 1994.
June 17TH: Based on the Jerusalem virus, June 17TH is a 1,530
byte variant. Its memory resident TSR is 1,792 bytes, hooking
interrupt 21. .COM programs increase in size by 1,535 bytes,
while .EXE programs increase in size by 1,530 to 1,544 bytes.
With .COM programs, the virus will be located at the beginning
of the file. With .EXE programs, the virus is located at the
end of the file. .EXE programs are not reinfected. June 17TH
activates when it becomes memory resident when the system date
is between June 17TH and December 31st of any year, at which
time it will delete any program which the user attempts to
execute.
Origin: Unknown November, 1992.
JVT1: Similar to the original Jerusalem virus, the JVT1 variant's
major differences are that after being memory resident for
30 minutes, a vertical black box consisting of two characters
will appear in the very upper left hand corner of the system
display. Another difference is that instead of deleting
programs on Friday the 13ths, it deletes them on Tuesday the
1st. The "sUMsDos" text string within the virus has been
changed to "sUMsDns". Like Jerusalem, it will reinfect .EXE
programs.
JVT1-B: Functionally equivalent to JVT1, this variant is a
slightly modified version.
Origin: Unknown January, 1992.
Mendoza: Based on the Jerusalem B virus, this variant does not
reinfect .EXE files. It is also missing the black box effect.
Mendoza activates in the second half of the year (July -
December), at which time any day will have a 10% chance of
having all programs executed deleted.
Origin: Argentina
Messina: Similar to the original Jerusalem virus, Messina's
major difference is that the "sUMsDos" text string has been
changed to "Messina". Infected .COM files increase in size
by 1,813 bytes. Infected .EXE files increase in size by 1,808
to 1,822 bytes with the first infection, and 1,808 bytes for
each reinfection.
Origin: Unknown November, 1991.
Nemesis: Similar to the original Jerusalem virus, this variant's
major difference is in the area of text strings within the
virus. The characteristic "sUMsDos" string has been changed to
"UM Do ". Two other text strings can be found in infected
files: "NEMESIS.COM" and "NOKEY".
Origin: Unknown November, 1991.
New Jerusalem: The New Jerusalem virus is a variant of Jerusalem
which was uploaded to several BBSes in The Netherlands on
October 14, 1989. It was modified to be undetectable by
some anti-viral utilities which were widely distributed at
that time.
Origin: The Netherlands October, 1989.
Oscar: The Oscar variant of Jerusalem is functionally
equivalent to the original virus. It contains three
text strings: "sUMsDos", "COMMAND.COM, and "OSCAR NU".
.EXE programs will be reinfected by this variant.
On Friday the 13ths, it will delete executed programs.
Origin: Unknown April, 1992.
Payday: The Payday variant was isolated in The Netherlands by
Jan Terpstra in November, 1989. A major behavioral change is
that Payday will activate on all Fridays except Friday the 13th.
Upon activation, it deletes all files executed.
Origin: The Netherlands November, 1989.
Park ESS: Isolated in October, 1990 in Happy Camp, California,
this variant is very similar to other Jerusalem viruses.
Infected .COM files increase in length by 1,813 bytes, and
infected .EXE files will increase in length by 1,808 to 1,822
bytes with the first infection, and 1,808 on later subsequent
infections. This variant will also infect COMMAND.COM. The
other major difference from the "normal" Jerusalem is that the
"sUMsDos" string has been replaced. The string "PARK ESS" can
be found in the viral code within all infected files. This
variant slows down the system by approximately 20 percent and
a "black window" will appear after the virus has been memory
resident for 30 minutes.
Phenome: The Phenome variant of Jerusalem B was received at the
same time as the Apocalypse variant. This variant is similar
in behavior to Apocalypse, with the exception that
COMMAND.COM will also be infected if executed. The text
strings found in this variant are:
"MsDos"
"PHENOME.COM"
"*-*-*-*"
Phenome activates after becoming memory resident on Saturdays.
On Saturdays, programs will not execute, but simply return the
user to the DOS prompt.
Origin: Italy May, 1991.
Puerto: Isolated in June, 1990 in Puerto Rico, this variant is
very similar to the Mendoza variant, the virus contains the
sUMsDos id-string. .EXE files may be infected multiple times.
Origin: Puerto Rico June, 1990.
Skism: Similar to the Skism-1 variant, the Skism variant of
Jerusalem's major difference is that the "SKISM-1" text
string has been changed to " SKISM ". Functionally, it is
equivalent to Skism-1.
Origin: Canada January, 1992.
Skism-1: Isolated in December, 1990 in New York State, this
variant is similar to many other Jerusalems except with
regards to when and what it does upon activation. Rather than
activate on Friday the 13ths and delete files, this variant
activates in the years 1991 and later on any Friday which
occurs after the 15th of the month. On activation, it
truncates any file which is attempted to be executed to zero
bytes. .COM files will increase in size upon infection by
1,808 bytes, .EXE files will increase by 1,808 to 1,822 bytes.
.EXE files will be reinfected by the virus. The "sUMsDos"
string in the virus is now "SKISM-1". Like Jerusalem, this
variant produces a "black window" 30 minutes after becoming
memory resident, and also slows down the system.
Origin: Canada December, 1990.
Soy Un: Based on the Jerusalem-B virus, Soy Un is a 2,064 byte
variant from Peru. Its memory resident TSR is 2,336 bytes,
and hooks interrupt 21. Soy Un adds 2,069 bytes to the .COM
programs it infects with the virus being located at the
beginning of the file. It adds 2,064 to 2,078 bytes to .EXE
programs with the virus being located at the end of the file.
.EXE programs are not reinfected. Most of the file length
increase will usually not be visible on infected programs when
the virus is memory resident as it will attempt to hide all by
1 to 16 bytes of the increase. The following text strings
occur within the viral code:
"HACK1"
"COMMAND.COM"
"CHKLIST.CPS"
"Soy un Virus y mi nombre es - THE HACKER - Lima - Per"
Origin: Peru September, 1992.
Spanish JB: (Jerusalem F) Similar to Jerusalem, it reinfects
.EXE files. The increased file size on .COM files is always
1,808 bytes. On .EXE files, the increased file size may be
either 1,808 or 1,813, with reinfection always adding 1,808
bytes to the already infected file. No "Black Box" appears.
The characteristic "sUMsDos" id-string does not appear in the
viral code. This variant is also sometimes identified as
Jerusalem E2.
Origin: Spain
Sub-Zero: Received in April 1992, Sub-Zero is a modified
Jerusalem variant which does not display the characteristic
"black box" after being memory resident for 30 minutes, nor
does a system slowdown occur. Sub-Zero contains the
following text strings: "LORD SKISM", "Sub-Zero NYHC", and
"ED EL".
Origin: Canada April, 1992.
Sub-Zero B: Received in May, 1992, Sub-Zero B is a slightly
modified version of the Sub-Zero variant. On the last Friday
of any month after 1991 it will truncate files which are
executed, and will attempt to format the system hard disk 15
minutes after becoming memory resident on June 6.
Origin: United States May, 1992.
Sub-Zero C: Received in February 1994, Sub-Zero C is a modified
version of the Sub-Zero variant described above. It has been
altered to avoid detection by some anti-viral utilities.
Origin: Unknown February, 1994.
Swiss 1813: Submitted in February, 1991, from Switzerland, this
Jerusalem variant does not exhibit the "black window" after
being memory resident for 30 minutes, nor does it slow down
the system. It also does not delete programs on Friday the
13th, or any other Friday. The "sUMsDos" text string has been
changed to binary zeros.
Origin: Switzerland February, 1991.
Triple: Received in April, 1992, Triple is a Jerusalem variant
which has been altered to avoid detection by some virus
scanning programs. Functionally, it is similar to the
original virus. One text string can be found in the viral
code in infected programs: "COMMAND".
Origin: Unknown April, 1992.
Ucender: Received in March, 1992, this variant of Jerusalem has
been altered to avoid detection by some anti-viral programs.
The "sUMsDos" text string has been changed to "UCNDER". The
characteristic Jerusalem "black box" appears after the virus
has been memory resident for 30 minutes, and a system slow-
down will also occur at this time. Ucender will reinfect
.EXE files, like the original virus. This variant activates
on Friday The 13ths, at which time it will delete programs
which are executed.
Origin: Argentina March, 1992.
See: 1605 China Discom Freddy
Frere Jacques Fu Manchu Groen Links Growing Block
Jerusalem 11-30 Jerusalem 1663 Jerusalem 1767 Mule
RAM Virus Slow Sunday Sunday-2
Suriv 3.00 Westwood Barcelona Poison
Moctezumas Revenge 1244 Timor Totoro