home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!elroy.jpl.nasa.gov!sdd.hp.com!mips!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: rslade@cue.bc.ca (Robert Slade)
- Newsgroups: comp.virus
- Subject: Jerusalem virus part 2 (CVP)
- Message-ID: <0020.9207281750.AA19608@barnabas.cert.org>
- Date: 23 Jul 92 23:50:00 GMT
- Sender: virus-l@lehigh.edu
- Lines: 59
- Approved: news@netnews.cc.lehigh.edu
-
- HISVIR4.CVP 920714
-
- The "Jerusalem" virus - part 2
-
- The history of the Jerusalem virus is every bit as convoluted as its
- functionality and family. The naming alone is a fairly bizarre tale.
- As mentioned before, it was originally called the Israeli virus.
- Although considered unfair by some, it was fairly natural as the
- virus had both been discovered and reported from Israel. (Although
- the virus was reported to slow down systems that were infected, it
- seems to have been the "continual growth" of EXE files which led to
- the detection of the virus.) In an effort to avoid anti-semitism, it
- was referred to by its "infective length" of 1813 bytes. For COM
- files. For EXE files it was 1808 bytes. Sometimes. It varies
- because of the requirement that the header of an EXE file is
- divisible by 16. (All quite clear?)
-
- One of the early infections was found to be in an office belonging to
- the Israeli Defence Forces. This fact was reported in an Associated
- Press article, and, of course, made much of. It also gave rise to
- another alias, the I.D.F. virus.
-
- When the virus was first discovered, it was strongly felt that it had
- been circulating prior to November of 1987. The "payload" of file
- deletion on Friday the 13th gave rise to conjecture as to why the
- logic bomb had not "gone off" on Friday, November 13th, 1987.
- (Subsequent analysis has shown that the virus will activate the
- payload only if the year is not 1987.) The next following "Friday
- the 13th" was May 13th, 1988. Since the last day that Palestine
- existed as a nation was May 13th, 1948 it was felt that this might
- have been an act of political terrorism. This led to another alias,
- the PLO virus. (The fact that Israel celebrates its holidays
- according to the Jewish calendar, and that the independence
- celebrations were slated for three weeks before May 13th in 1988 were
- disregarded. The internal structure of the virus, and the existence
- of the sURIV viral programs seems to indicate that any political
- correspondence is merely coincidence.)
-
- Yet another alias is "sUMsDos", based upon text found in the virus
- code itself. This was, on occasion, corrupted to "sumDOS".
-
- The name "Jerusalem" has gained ascendancy, possibly due to the
- McAfee SCAN program identification. (He certainly must be
- responsible for the "B" designation for the "original" version.) Of
- course, the great number of variants have not helped any. Because a
- number of the variants are very closely based upon each others code,
- the signatures for one variant will often match another, thus
- generating even more naming confusion. This confusion is not unique
- to the Jerusalem family, of course, and is an ongoing concern in the
- virus research community.
-
- copyright Robert M. Slade, 1992 HISVIR4.CVP 920714
-
- =============
- Vancouver ROBERTS@decus.ca | "The client interface
- Institute for Robert_Slade@sfu.ca | is the boundary of
- Research into rslade@cue.bc.ca | trustworthiness."
- User p1@CyberStore.ca | - Tony Buckland, UBC
- Security Canada V7K 2G6 |
-