| Alias: | |
| Strain: | Jerusalem Virus Strain, Carfield Substrain |
| detected when: | 1991 |
| where: | unknown |
| Classification: | Program Virus (extending), RAM-resident in low memory |
| Length: | COM-files: length increases by 1508 bytes EXE-files: length increases by 1508-1522 bytes Memory: 1744 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx and above |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | Jerusalem.Carfield |
Attributes | |
| Easy identification: | No readable texts in Virus body, they are encrypted. |
Type of Infection: | System: infected, if function F3h of INT 21h returns value smaller that 04h in AH-register. COM-files: program length increases by 1508 bytes. The virus installs itself at the top of the file and uses function D5h of INT 21h to copy the original program over the virus. EXE-files: program length increases by 1508-1522 bytes. The virus installed itself at the end of the file and patches the EXE-start address in the EXE-header. After the virus has terminated, it jumps directly into the EXE- code to the start address. |
| Infection Technique: | |
| Infection Trigger: | Prgs. are infected at load time (func. 4Bh of INT 21h) |
| Storage Media affected: | |
| Interrupts hooked: | INT 21h, INT 08h (only when damage is activated; see Damage Trigger!) and INT 24h (when infecting a file) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient Damage: Every 42 seconds the following text is displayed on the screen at the position of the cursor: "Carfield!" |
| Damage Trigger: | 1.) Year of System date is not 1989. 2.) Day of Week is Monday. |
| Particularities: | 1.) When damage is active (see Damage Trigger) no files will be infected. 2.) COMMAND.COM will not be infected. 3.) COM-files with a length bigger than 63770 bytes are not correctly infected. They are destroyed and the system will stop with the message "COMMAND.COM cannot be loaded. System halted." |
| Similarities: | |
Agents | |
| Countermeasures: | Use any of the popular anti-virus products; as they and remove the virus. |
| Standard means: | 1.) Reboot from clean bootdisk. 2.) Delete all infected files. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | J”rn Dierks |
| Documentation by: | J”rn Dierks |
| Date: | January 3, 1994 |
| Information Source: | Disassembly |
(c) 1996 Virus-Test-Center, University of Hamburg