home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / JERUSAL.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  6.5 KB  |  149 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10.   JERUSALEM SERIES
  11.   ================
  12.                 
  13.   The JERUSALEM virus has appeared in many different versions across
  14.   the world and has spawned many rewrites, which can be found through
  15.   exploring the JERUSALEM family in the 'Other' field.
  16.  
  17.   These include: FU MANCHU, SUNDAY, PAYDAY, PSQR, PRUDENS, ANARKIA,
  18.   amomg others.
  19.  
  20.   There are also three viruses called SURIV ('virus' backwards) which
  21.   are believed to be precursors to JERUSALEM.
  22.  
  23.   JERUSALEM infects COM and EXE files, growing their lengths by 1813
  24.   and 1808 bytes repectively. With EXE files, overwriting can occur
  25.   and Overlay files may also be infected.
  26.  
  27.   It becomes memory resident and targets every COM and EXE file except
  28.   COMMAND.COM.
  29.  
  30.   In its original version:
  31.  
  32.   * EXE files were continually reinfected, eventually causing them to
  33.     stop working
  34.  
  35.   * After 30 minutes, an infected system would slow down and a black
  36.     box would appear on the screen
  37.  
  38.   * Every program executed on Friday the 13th would be deleted.
  39.  
  40.  
  41. ==== Computer Virus Catalog 1.2: Israeli-Virus (July 15, 1989) =====
  42.  
  43. Entry...............: Israeli-Virus
  44. Alias(es)...........: Jerusalem (A) ="Friday 13th" Virus
  45. Virus Strain........: Israeli-Virus
  46. Virus detected when.: December 1987
  47.               where.: Hebrew University, Jerusalem, Israel
  48. Classification......: Program Virus (extending), RAM-resident
  49.                               overwriting under certain conditions.
  50. Length of Virus.....: .COM files: length increases by 1813 bytes.
  51.                       .EXE files: length increases by 1808-1823 bytes.
  52.                                  (.EXE file length must be a multiple
  53.                                  of 16 bytes, as in any .EXE file)
  54.  
  55. ------------------- Preconditions ---------------------------------
  56.  
  57. Operating System(s).: MS-DOS
  58. Version/Release.....: 2.xx upward
  59. Computer model(s)...: IBM-PC, XT, AT and compatibles
  60.  
  61. ------------------- Attributes ------------------------------------
  62.  
  63. Easy Identification.: Typical texts in Virus body (readable
  64.                       with HexDump-facilities):
  65.                       1. "MsDos" and "COMMAND.COM" in the Data area
  66.                          of the virus and
  67.                       2. "MsDos" are the last 5 bytes if the infected
  68.                          program is a .COM file.
  69.  
  70. Type of infection...: System: infected if function E0h of INT 21h
  71.                               returns value 0300h in the AX-register.
  72.  
  73.                       .Com files: program length increases by 1813
  74.                               bytes if it is infected and the last 5
  75.                               bytes are "MsDos" (identification). .COM
  76.                               files are infected only once;
  77.                               COMMAND.COM will not be infected.
  78.  
  79.                       .EXE files: program length increases by 1808
  80.                               - 1823 bytes, and no identification is
  81.                               used; therefore, .EXE files can be
  82.                               infected more than once.
  83.                               The virus uses the file length in the
  84.                               EXE header to decide where to copy
  85.                               itself; if this field contains a value
  86.                               smaller than the actual length of the
  87.                               file, then the virus will *overwrite*
  88.                               the file instead of extending it!
  89.  
  90. Infection Trigger...: Programs are infected at load time (using the
  91.                       function Load/Execute of MS-DOS).
  92.  
  93. Interrupts hooked...: INT21h, INT08h
  94.  
  95. Damage..............: Permanent Damage: On every "Friday the 13th",
  96.                                 every loaded program is deleted.
  97.                       Transient Damage: On every other day, after 30
  98.                                 minutes a loop is bound into the
  99.                                 operating system, which slows the
  100.                                 system; At this moment, a 12-by-12
  101.                                 region of the screen is scrolled up by
  102.                                 two lines, leaving a black 2-by-12
  103.                                 rectangle on the screen.
  104.  
  105. Damage Trigger......: Every time the system is infected, one of the
  106.                       damages will be used.
  107.  
  108. Particularities.....: 1. .COM files larger than 63.466 bytes are no
  109.                               longer loadable after infection.
  110.                       2. .COM files larger than 63.723 bytes are
  111.                               destroyed by overwriting.
  112.                       3. .EXE files can be infected many times.
  113.                       4. Three functions used by Novell Netware 4.0
  114.                          can't be used.
  115.  
  116. ------------------- Agents ----------------------------------------
  117.  
  118. Countermeasures.....: Category 3: ANTIIS#1.EXE (VTC Hamburg)
  119.                       Remark: 1) The well-known UnVirus (developed at
  120.                                  Hebrew University) safely detects and
  121.                                  disinfects this virus (plus 5 more).
  122.                               2) Several Antiviruses do not work safe,
  123.                                  e.g. M-JRUSLM (McAfee) destroys 10%
  124.                                  of the .EXE-files during
  125.                                  disinfection.
  126.  
  127. Countermeasures successful: ANTIIS#1.EXE is an antivirus that only
  128.                       looks for the Israeli Virus and, if requested,
  129.                       will restore the file.
  130.  
  131.  
  132. Standard means......: ---
  133.  
  134. ------------------- Acknowledgement -------------------------------
  135.  
  136. Location............: Virus Test Center, University Hamburg, FRG
  137. Classification by...: Thomas Lippke, Michael Reinschmiedt
  138. Documentation by....: Michael Reinschmiedt, Thomas Lippke
  139.                       Morton Swimmer
  140. Date................: July 15, 1989
  141. Updates by..........: Y.Radai, Hebrew University, August 31, 1989
  142.  
  143. =================== End of Israeli-Virus ============================
  144.  
  145.  
  146.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  147.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  148.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  149.