Jerusalem 1767 Virus

Virus Name: Jerusalem 1767 Aliases: V Status: Research Discovered: October, 1991 (submitted) Symptoms: TSR; .EXE & .COM growth Origin: New Zealand Eff Length: 1,767 - 1,779 Bytes Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, ViruScan, AVTK, Sweep, ChAV, IBMAV, NAV, NAVDX, VAlert, PCScan, NShld, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N, LProt, NAV/N Removal Instructions: Delete infected files General Comments: The Jerusalem 1767 virus was received in October, 1991 from Dr. Henry Wolfe of New Zealand whom indicated that he has had this virus on a diskette for over one year. The original source of the virus is unknown. Jerusalem 1767 is a variant of the Jerusalem virus, with some characteristic changes in its behavior. The first time a program infected with Jerusalem 1767 is executed, this virus will install itself memory resident as a low system memory TSR of 2,048 bytes, hooking interrupts 08 and 21. Once Jerusalem 1767 is memory resident, it will infect .COM and .EXE programs when they are executed. If COMMAND.COM is executed, it will also become infected. Infected .COM programs increase in size by 1,767 bytes with the virus being located at the beginning of the infected file. The exception is that COMMAND.COM will be infected with the virus being at the end of the file. Infected .EXE programs increase in size by 1,767 to 1,779 bytes with the virus being located at the end of the infected file. .EXE programs will not be reinfected by this Jerusalem related virus. In both cases, there will be no change to the file's date and time in the DOS disk directory. Two text strings can be found within the viral code, the first being the infection marker for infected files: "** INFECTED BY FRIDAY 13th **" "COMMAND.COM" Jerusalem 1767 does not exhibit the typical Jerusalem / Jerusalem B "black box" after being memory resident for 30 minutes. A system slowdown also does not occur. See: Jerusalem