| Alias: | |
| Strain: | Jerusalem Virus strain, Mummy substrain |
| detected when: | Spring 1992 |
| where: | Germany |
| Classification: | Program (EXE) virus (appending), memory resident |
| Length: | Appends 1399-1414 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All versions above 2 |
| Computer model(s): | PC and all compatibles |
| Caroname: | Jerusalem.Mummy.1_2 |
Attributes | |
| Easy identification: | File growth; no plain text in files visible. Virus self-identification: EXE header checksum (file offset 12h) contains 0C0Bh. |
Type of Infection: | All files starting with "MZ" (normal EXE header) that are executed or opened will be infected provided there is enough space left on volume. |
| Infection Technique: | |
| Infection Trigger: | Load & Execute or Open of a file containing "MZ" as first two bytes. |
| Storage Media affected: | All (diskettes, hard disks) |
| Interrupts hooked: | INT 24 (hooked); INT 21 and 26 (used) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient damaga: there is an encrypted text in the virus, that is decrypted when the virus goes memory resident. This text is never displayed! Memory dump (typical text!): 0D 0A 20 04 20 4D 75 6D .. . Mum 6D 79 20 56 65 72 73 69 my Versi 6F 6E 20 31 3E 32 20 04 on 1.2 . 20 0D 0A 0A 4B 61 6F 68 ...Kaoh 73 69 75 6E 67 20 53 65 siung Se 6E 69 6F 72 20 53 63 68 nior Sch 6F 6F 6C 0D 0A 0A 54 7A ool...Tz 65 6E 67 20 4A 61 75 20 eng Jau 4D 69 6E 67 20 70 72 65 Ming pre 73 65 6E 74 73 0D 0A 0A sents... 53 65 72 69 65 73 20 4E Series N 75 6D 62 65 72 20 3D 20 umber = 5B 78 78 78 78 78 5D 0D [xxxxx]. 0A 24 .$ Permanent damage: virus contains a counter (16bit) being decremented upon every loading or opening of an infected file; this counter is reset to zero every time an OEM call to DOS is made (INT 21 AH=FFh and AL<>FFh) (this function is used by several programs). Upon each attemted infection, this counter is checked whether having reached zero; if so, the current logical drive is overwritten with the virus code and memory garbage. 99 sectors are being overwritten starting with the bootsector (logical sector 0). This acitivity destroys the bootsector, FAT 1 and FAT 2, and the root directory as well as some data. |
| Damage Trigger: | If trigger counter becomes zero. |
| Particularities: | Trigger counter is forced to zero if DOS INT 21h is invoked, e.g. by specific programs or an- other virus. New infection sinherit trigger counter in infecting file. |
| Similarities: | Jerusalem/Mummy virus strain |
Agents | |
| Countermeasures: | McAfee Scan, Skulason F-PROT, Solomon FindViru Removal not recommended, might not work on special EXE files! |
| Standard means: | Replace infected file with uninfected original. |
Acknowledgements | |
| Location: | Micro-BIT Virus Center, Univ Karlsruhe, Germany |
| Classification by: | Christoph Fischer (Klaus Brunnstein, VTC) |
| Documentation by: | Christoph Fischer |
| Date: | April-1992 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg