| Alias: | Israeli, 1813, IDF, PLO, Friday 13th |
| Strain: | Jerusalem strain |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector |
| Length: | 112 paragraph(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | PC's |
| Caroname: | Jerusalem.Standard |
Attributes | |
| Easy identification: | |
Type of Infection: | COM: The virus prepends itself to the files EXE: Appending, uses length from EXE header to position virus. Selfrec in memory: INT 21h/AH=E0h -> AX=0003h Selfrec on disk: File[lastbyte-2..lastbyte] = "Dos" |
| Infection Technique: | |
| Infection Trigger: | 21h/4BhINFECTION_CRIT: DiscFreeSpace >= 1808Filename <> "COMMAND.COM" |
| Storage Media affected: | |
| Interrupts hooked: | 21h/4Bh, 21h/DDh, 21h/DEh, 21h/E0h,08h (transient damage),24h (during infection) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Area of screen wiped out; machine slowed down Permanent: Program files deleted on execution |
| Damage Trigger: | Transient: VirusResident > 30 minutes Permanent: Date = Friday 13th |
| Particularities: | n/a Displayed text: None Not displayed text: None This virus is extermely well-known. On Friday 13th,once resident, files the user tries to execute aredeleted instead. On other days, the virus simplywaits for 30 minutes from the time it goes residentand installs an empty loop on INt 08h (timer tick)to slow the machine down. On fast PCs, this isalmost unnoticeable. The virus also scrolls up awindow in the bottom left corner of the screen,but nothing is displayed.The disc self-recognition mark (the string "Dos" atthe end of the file) is never appended to EXE files,so they suffer repeated infection until they areultimately too big to execute, whereupon they willproduce "Program too big to fit in memory" errors.This makes the obviousness of the virus QUITE, ratherthan SLIGHTLY.Jerusalem.Standard is also well-known for interferingwith Novell networks, due to its choice of memoryself-recognition call. This clashes with Novell printerspooler functions, and may cause Novell to fall over.This is, however, a weakness of Novell -- runninga malicious (or even just buggy) program on a work-station should *not* cause denial of service as triviallyas this virus does. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg