Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!wuarchive!udel!haven!mimsy!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: ST7751%SIUCVMB.BITNET@VMA.CC.CMU.EDU (Chris Beckenbach) Newsgroups: comp.virus Subject: Jerusalem virus (PC) Message-ID: <0004.8911091541.AA08370@ge.sei.cmu.edu> Date: 8 Nov 89 17:54:42 GMT Sender: Virus Discussion List Lines: 38 Approved: krvw@sei.cmu.edu The Jerusalem virus has turned up here at Southern Illinois University, also. From dissecting a copy of the virus, and an article in the February 15, 1989 edition of Datamation ("The Virus Cure", by John McAffe, Pp. 29-40), the Jerusalem virus (called the Israeli virus in the Datamation article) does the following: When an infected .EXE or .COM file is loaded and run, the Jerusalem virus checks to see if it is already resident in the computer. If not, it sets itself up to intercept DOS INT 21h, then proceeds to run the infected program normally. Whenever a call is made to INT 21h to execute a program (function 4Bh), the virus will append itself to the program file on the disk and set itself up as the entry point for that program. This adds 1808 bytes of length to the file, but does not change the time/date stamp. If the disk is write-protected, no error will be given, and the file will not be infected. The copy of the virus that I have been looking at infects .EXE files multiple times (the Datamation article says that this is a bug that has been "fixed" by hackers in other versions), so usually the major problem with this virus will be that it will waste memory and disk space. John McAfee's article also says that this multiple infection does not occur with COM files, but I have not verified this. The most serious aspect of this virus is that when the system date is Friday the 13th (except when the year is 1987--this virus was first discovered in 1987, so this was probably written in to give it time to spread) any call to execute a .COM or .EXE file will result in the file's being deleted from the disk. I have been informed that Flushot will take the virus out of infected programs, so if you have the virus and Flushot, you might want to try this. Hope this has been of help. Chris Beckenbach ST7751@SIUCVMB Computer Science major Southern Illinois University Carbondale, Illinois "I think, therefore I think I am--I think."