Jerusalem 1767 Virus
Virus Name: Jerusalem 1767
V Status: Research
Discovered: October, 1991 (submitted)
Symptoms: TSR; .EXE & .COM growth
Origin: New Zealand
Eff Length: 1,767 - 1,779 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, Sweep, ChAV,
IBMAV, NAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N, LProt,
Removal Instructions: Delete infected files
The Jerusalem 1767 virus was received in October, 1991 from Dr.
Henry Wolfe of New Zealand whom indicated that he has had this virus
on a diskette for over one year. The original source of the virus
is unknown. Jerusalem 1767 is a variant of the Jerusalem virus,
with some characteristic changes in its behavior.
The first time a program infected with Jerusalem 1767 is executed,
this virus will install itself memory resident as a low system
memory TSR of 2,048 bytes, hooking interrupts 08 and 21.
Once Jerusalem 1767 is memory resident, it will infect .COM and .EXE
programs when they are executed. If COMMAND.COM is executed, it
will also become infected.
Infected .COM programs increase in size by 1,767 bytes with the virus
being located at the beginning of the infected file. The exception
is that COMMAND.COM will be infected with the virus being at the end
of the file.
Infected .EXE programs increase in size by 1,767 to 1,779 bytes with
the virus being located at the end of the infected file. .EXE
programs will not be reinfected by this Jerusalem related virus.
In both cases, there will be no change to the file's date and time
in the DOS disk directory. Two text strings can be found within the
viral code, the first being the infection marker for infected files:
"** INFECTED BY FRIDAY 13th **"
Jerusalem 1767 does not exhibit the typical Jerusalem / Jerusalem B
"black box" after being memory resident for 30 minutes. A system
slowdown also does not occur.