Jiskefet Virus

Alias:---
Strain:---
detected when:---
where:---
Classification:File-Virus: EXE infector, not memory-resident
Length:On media: 2,048 bytes

Preconditions

Operating System(s):IBM-OS/2
Version/Release:2.x
Computer model(s):IBM 386+ and compatibles
Caroname:Jiskefet

Attributes

Easy identification:At offset 0400h, text 'MK' can be read with a HEX-editor/viewer. More text in virus: '*.EXE'

Type of Infection:

EXE-files: Program length increases by 2048 bytes Virus takes first 2,048 bytes of victim file and appends this part at the end of this file. Then, virus copies its own first 2,048 bytes to the top of the victim file. When an infected program is run, it tries to infect all EXE-files in current directory.

Infection Technique:
Infection Trigger:Execution of an infected EXE program.
Storage Media affected:disk/diskette
Interrupts hooked:--- (not applicable to OS/2)
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:The virus does not do any intentional damage. It only replicates and consumes disk space.
Damage Trigger:---
Particularities:1) All EXE-files in current directory infected. 2) After the virus infected all EXE-files, it copies its hostfile using extension .MK, disinfects it, runs this file and deletes it afterwards. This is done as OS/2 does not allow a program to modify itself during execution. 3) Due to a bug in virus code, it is possible that an infected program cannot be started, as author did not take care of possible situations that disk space overflows while _disinfecting_ a file (see no. 2). 4) Only Presentation-Manager applications are infected.
Similarities:---

Agents

Countermeasures:---
Standard means:Delete any infected files and replace them with their originals.

Acknowledgements

Location:Virus-Test-Center, University of Hamburg,Germany
Classification by:Joern Dierks
Documentation by:Joern Dierks
Date:June 22, 1994
Information Source:Analysis of Assembler source-code

(c) 1996 Virus-Test-Center, University of Hamburg