Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: JXA5@MARISTB.BITNET (John A. Councill)
Newsgroups: comp.virus
Subject: Jerusalem B (PC)
Message-ID: <0004.9010041806.AA01362@ubu.cert.sei.cmu.edu>
Date: 30 Sep 90 04:00:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 51
Approved: krvw@sei.cmu.edu

I am the Technical Assistant for the Computer Center at Bard College,
a small liberal arts institution in upstate New York.  Right now we
have an exclusively IBM PC based, non-networked facility for student
use (due to change soon...).  Being a low tech school with 95% of
usage being word processing, and not much outside software being
brought into the center, we have not had any virus problems until very
recently.

About two weeks ago, the Jerusalem B virus found its way onto one of
our center's WordPerfect v4.2 disks.  This version of WordPerfect
refused to run with the infection.  We cleaned off the disks by
recopying them from masters.

Then, on Friday (9/28) we discovered Jerusalem B again on three
disks-- WP v4.2, WP v5.0, and a Turbo Pascal v2.0 .  Very
irritating...  but what concerns me is the amount of infection and the
behavior of the virus with WP v5.0 and the Turbo Pascal.  Both of
these programs were invokable, and the behavior upon invocation was
different than with WP v4.2.  With WP v4.2 it scanned both disk drives
(presumably for other disks to infect), loaded itself into memory,
infected the resident portion of DOS, and then tried to run WP.  With
the other two programs, however, the virus exhibited none of the above
activity.

Here are some specific questions:

1) What is the behavior of Jerusalem B?  Does it do anything vile
other than infect all of the .COM and .EXE files that it can find (or
so I thought, see #2 below...)?  (e.g. will it wait for the next
partial lunar eclipse in Iceland and then erase all data and display
three leaping purple frogs on the screen...)

2) There were five .COM files on the Turbo Pascal v2.0 disk that it
infected: TURBO.COM, TURBO-87.COM, FORMAT.COM, TINST.COM, and
COMMAND.COM.  It only infected TURBO.COM, with two infections each.
Does Jerusalem B only infect programs that are invoked from the
command prompt while it is in memory?  Or is it supposed to infect all
COM and .EXE files that it finds?

3) Under what conditions does a multiple infection occur (one
executable file found to have multiple copies of the virus in it)?

4) Are there many versions of Jerusalem B out in the world, making the
above questions inappropriate and/or difficult to answer?

Thanks.  Any tips, thoughts, or info on this will be most appreciated.

John A. Councill                       |   JXA5@MARISTB
Technical Assistant                    |        on
Henderson Computer Resources Center    |      BITNET
Bard College, Annandale-on-Hudson NY   |