|
NCSA Virus Report #78
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Jerusalem Virus ?
???????????????????????????????
Synonyms: Israeli, Friday the 13th, Black Hole, Black Box, PLO, 1808
(EXE), 1813 (COM), sUMsDos, Russian.
Date of Origin: December 24, 1987 (date first detected in Israel).
Place of Origin: Israel.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, overlay files.
Increase in Size of Infected Files: 1808 bytes for EXE files (usually),
1813 bytes for COM files.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: CleanUp, UNVIRUS, IMMUNE, M-J, Scan/D/A, Saturday, F-Prot.
Derived from: Suriv03
Scan Code: 8E D0 BC 00 07 50 B8 C5 00 50 CB FC 06 2E 8C 06 31 00 2E 8C 06
39 00 2E 8C 06 3D 00 2E 8C 06 41 00 8C C0. You can also search at offset
095H for FC B4 E0 CD 21 80 FC E0 73 16.
History: The Jerusalem virus was first discovered at the Hebrew
University in Jerusalem on December 24, 1987, and reported to the virus
research community by Y. Radai of the Hebrew University of Jerusalem. My
personal suspicion is that the virus was written by a Palestinian, or
other enemy of Israel, and planted within Israel. Israel was declared an
independent state on May 14, 1948. Friday, May 13, 1988 would have been
40 years in which Palestine was no longer sovereign. Although it was
detected in late 1987, it contained code to prevent it from going off
until May 13, 1988. Other viruses set to go off on Friday the 13th are
likely copy-cats, whose authors simply thought that Friday the 13th was
unlucky, wanted a trigger date, and thought this would do fine.
Operation: This virus is a memory resident infector. Any "clean
program" run after an infected program is run will become infected. Both
COM and EXE files are infected. The virus occurs attached to the
beginning of a COM file, or the end of an EXE file. A COM file also has
the five-byte marker attached to the end. This marker is usually (but
not always) "MsDos", and is preceeded in the virus by "sU". "sUMsDos" is
not usually found in newer varieties of this virus. COM files increase
in length by 1813 bytes. EXE files usually increase by 1808 bytes, but
the displacement at which to write the virus is taken from the length in
the EXE header and not the actual length. This means that part or all of
this 1808 bytes may be overwritten on the end of the host program.
It becomes memory-resident when the first infected program is run,
and it will then infect every program run except COMMAND.COM. COM files
are infected once only, EXE files are re-infected each time they are run.
Interrupt 8 is redirected. After the system has been infected for
thirty minutes (by running an infected program), an area of the screen
from row 5 column 5 to row 16 column 16 is scrolled up two lines creating
a black two line "window". From this point a time-wasting loop is
executed with each timer interrupt, slowing the system down by a factor
of 10.
If the system was infected with a system date of Friday the
thirteenth, every program run will be deleted instead. This will
continue irrespective of the system date until the machine is rebooted.
The end of the virus, from offset 0600H, is rubbish and will vary from
sample to sample.
Jerusalem contains a flaw which makes it re-infect EXE (but not COM)
files over and over (up to five times or until the file becomes too big
to fit into memory, whichever comes first.)
The names 1808 and 1813 come from the fact that files grow by 1808 or
1813 bytes, without changing their date and time or read/write/hidden
attributes. COMMAND.COM does not grow, to help it avoid detection. In
fact, it seems likely that the disk version of COMMAND.COM is not
modified, but that the in-memory copy of COMMAND.COM is modified when an
infected program is run.
The virus causes some intentional damage:
* there is code in the virus for deleting each program that you run on
every Friday 13th. On January 13 (Friday), 1989, this virus made a
shambles of hundreds of PC-compatibles in Britain<Note: Jonathan
Randal, "Friday the 13th is Unlucky for British Computer Users;
Software Virus Disrupts IBM PC Programs" The Washington Post,
January 14, 1989, p. D10.>
* The virus re-directs interrupt 8 (among others) and one-half hour
after an infected program loads, the new timer interrupt introduces a
delay which slows down the processor by a factor of 10. (see figure).
It is difficult to estimate the total dollar value of damage done by
this virus to date. In just one case, reported in the Israeli newspaper
Maariv, it destroyed $15,000 worth of software and two disks in which
7,000 hours of work had been invested.<Note: Reported by Jonathan
Randal, "Friday the 13th is Unlucky for British Computer Users; Software
Virus Disrupts IBM PC Programs" The Washington Post, January 14, 1989,
p. D10.>
Disinfection can be a complex process. UNVIRUS will easily
eradicate this virus and 5-6 others as well. IMMUNE will prevent further
infection.
Alternatively, shareware programs written by Dave Chamber and
distributed through bulletin boards under the name M-J may be used. M-J
removes the virus from hard disks; M-JFA removes the virus from floppy
disks that are inserted into the system's A drive; M-JFB removes the
virus from floppy disks that are inserted into the system's B
drive.<Note: The M-J disinfector is successful in removing the Jerusalem
virus in virtually all instances. However, it will destroy, on the
average, one EXE file in ten during the disinfection attempt. It will not
harm COM files. It is recommended that every infected program be
executed after the disinfection process. Programs that have been
disabled during the disinfection process will not execute.>
Alternatively, here is the process for removal:
* power down the system.
* Boot from a write-protected, clean system master diskette.
* Delete all of the infected programs as indicated by VIRUSCAN.
* Replace the programs from original write-protected program
distribution diskettes.
* Do not execute any program from the infected hard disk until the
disinfection process is complete.
* After cleaning all hard drives in the infected system, all floppies
that have come into contact with the system should be SCANned and
disinfected in the same manner.
Another means of detection: using PCtools or another text search
utility, search for the ASCII string "sUMsDos". This string is present
in all copies of this particular virus strain.
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
