Jericho Virus


 Virus Name:  Jericho 
 Aliases:     Dark Avenger.Jericho 
 V Status:    New 
 Discovered:  September, 1993 
 Symptoms:    .COM & .EXE growth; 
              decrease in total system & available free memory 
 Origin:      Calgary, Alberta, Canada 
 Eff Length:  1,365 - 1,379 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, IBMAV, Sweep, PCScan, 
                    AVTK, NAV, NAVDX, VAlert, ChAV, 
                    NProt, NShld, Sweep/N, AVTK/N, IBMAV/N, Innoc, NAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Jericho virus was submitted in September, 1993, and appears to 
       be from the Calgary area of Canada.  Jericho is a memory resident 
       infector of .COM and .EXE programs, including COMMAND.COM. 
 
       When the first Jericho infected program is executed, the Jericho 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, not moving interrupt 12's 
       return.  Total system and available free memory, as indicated by 
       the DOS CHKDSK program, will have decreased by 2,832 bytes. 
       Interrupts 21 and 27 will be hooked by Jericho in memory. 
 
       Once the Jericho virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed or 
       opened for any reason.  Infected .COM programs will have a file 
       length increase of 1,365 bytes while .EXE programs will increase in 
       size by 1,365 to 1,379 bytes.  In both cases, the virus will be 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following 
       text strings are visible within the viral code in all Jericho 
       infected programs: 
 
               "JERICHO by Eurystheus" 
               "Calgary"  
 
       It is unknown what Jericho does besides replicate. 
 
       Known variant(s) of Jericho are: 
       Dark Avenger.Jericho.1000: Probably an earlier version of the 
                   Jericho virus described above, this variant's size in 
                   memory is 2,112 bytes, hooking interrupt 21.  It 
                   infects some .COM files when they are executed, opened, 
                   or copied.  Infected programs have a file length increase 
                   of 1,000 bytes with the virus being located at the end 
                   of the file.  The file's date and time in the DOS disk 
                   directory listing will not be altered.  The following 
                   text string is visible within the viral code in all 
                   infected files: 
                   "JERICHO■Eurystheus■Calgary AB" 
                   Origin:  Canada  August 1994. 
 
       See:   Dark Avenger 

Show viruses from discovered during that infect .

Main Page