|
Info on the Jeruslaem/DC virus
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
5 September 1990
David,
I thought that you may want to see this....Please read it carefully
and compare notes on what you have and what you have documentation
for. Please get back to me as soon as possible to discuss the
situation. This is an analysis that I did today on the strain that I
D/L'ed from the NCSA Board....Go figure. ,-)
-Paul
===============================================================================
This analysis was preformed under the following circumstances:
Test machine: AT 80286 Turbo Clone, Phoenix ROM-BIOS version 3.30, 1Mb RAM
(640 base, 384 extended), Seagate ST-225 21Mb Hard Dirve and
High Density (1.2 Mb) 5.25", 360 Kb Floppy Drive.
Operating Sytem: Ms-DOS version 4.01
Memory Mapping Utility: Central Point Software, Inc.,
"Memory Info", version 5.24
Notes: Clean, uninfected "goat" files (ie. .COM and .EXE) were
introduced into the viral environment for testing purposes.
The entire testing process is documented, in case you have
any particular questions.
McAfee Associates ViruScan version 66b identifies this virus
as Jerusalem B, but the differences in replication are
substantial enough to warrant a separate strain
classification. Comments, etc. are most certainly welcome.
===============================================================================
Virus: Jerusalem-DC
----- ------------
(Note - Yep, I stuck the DC strain-tag on this one..it does not possess
the same characteristics of any other of the documented strains,
although McAfee's ViruScan ID's it as J-B... -Paul)
Observations:
-------------
When an infected file is initially executed, the virus loads TSR. This can be
observed with a memory mapping utility (see above). This also reveals that
the infected file <name> has been loaded next TSR. It should also be
annotated at this point that the program that was used to view memory at
this point has, too, become infected. File size increases are as follows:
.COM files - 1813 bytes and will only be infected once. COMMAND.COM will
not become infected.
.EXE files - 1820 bytes initially; 1808 bytes upon each subsequent
infetion. (This seems almost inversely proportional to the
description of Spanish JB, or Jerusalem E2.)
The "Black Box" effect is still apparent approx. 1/2 hour after the virus
is loaded TSR, as it is in the original J-B virus. The usual text string
"uSMsDOS" is not present in this strain.
Please direct any (more detailed) questions via message to:
The National Computer Security Association
NCSA BBS,
Washington, DC.
(202) 364-1304
300/1200/2400 at 8,N,1
(Preferrably within the VIRUS Conference.)
|
|
