Jerusalem 11-30 Virus


 Virus Name:  Jerusalem 11-30 
 Aliases:     1130 
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM & .EXE growth; TSR; file date/time change; display 
 Origin:      Unknown 
 Eff Length:  2,000 - 2,014 Bytes 
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, IBMAV, Sweep, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 General Comments: 
       The Jerusalem 11-30, or 1130, virus was received in January, 1992. 
       Its origin is unknown.  Jerusalem 11-30 is a memory resident infector 
       of .COM, .EXE, and overlay files.  It will not infect COMMAND.COM. 
       This virus, as the name implies, is a variant of the Jerusalem virus 
       though it is being documented separately due to its different 
       behaviour. 
 
       The first time a program infected with Jerusalem 11-30 is executed, 
       the Jerusalem 11-30 virus will install itself memory resident as a 
       low system memory TSR of 2,288 bytes.  On dates other than November 
       30th, the virus will hook interrupts 20, 21, and 27.  On November 
       30th, it will also hook interrupt 1C. 
 
       Once the Jerusalem 11-30 is memory resident, it will infect programs 
       as they are executed.  Infected .COM programs will have a file 
       length increase of 2,000 bytes, with the virus being located at the 
       beginning of the infected file.  Infected .EXE programs will have a 
       file length increase of 2,000 to 2,014 bytes with the virus being 
       located at the end of the infected file.  Unlike several Jerusalem 
       variants, this virus will not reinfect previously infected .EXE 
       files.  All infected files will have had their date and time in the 
       DOS disk directory updated to the system date and time when infection 
       occurred.  The following text string can be found within the viral 
       code of all Jerusalem 11-30 infected programs: 
 
               "ð1ð1ð3ð0ð" 
 
       Jerusalem 11-30 activates after it has become memory resident on 
       November 30th of any year.  It will intermittently flash a reverse 
       video block in the upper right hand corner of the system display 
       that says "1130" while the user is at a DOS prompt. 
 
       See:   Jerusalem

Show viruses from discovered during that infect .

Main Page