Path: utzoo!attcan!uunet!know!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: RADAI@HUJIVMS.BITNET (Y. Radai) Newsgroups: comp.virus Subject: Re: Jerusalem B (PC) Message-ID: <0003.9010111649.AA06500@ubu.cert.sei.cmu.edu> Date: 8 Oct 90 12:16:00 GMT Sender: Virus Discussion List Lines: 65 Approved: krvw@sei.cmu.edu John Councill asks several questions about the Jerusalem B virus. Although all of them have been answered on VIRUS-L before, I guess there are enough new readers to warrant posting the answers here again: >... behavior of the virus with WP v5.0 and the Turbo Pascal. Both of >these programs were invokable, and the behavior upon invocation was >different than with WP v4.2. With WP v4.2 it scanned both disk drives >(presumably for other disks to infect), loaded itself into memory, >infected the resident portion of DOS, and then tried to run WP. With >the other two programs, however, the virus exhibited none of the above >activity. The behavior with WP 4.2 is anomalous since the length of this file as reported in the EXE header is less than its actual length. As a result, the virus overwrites part of the file instead of appending itself to it, meaning that no disinfectant utility can restore WP 4.2 after it has been infected by this virus. BTW, the scanning of disk drives which you report was not being done by the virus, but by WP 4.2. (I think the part of it which is in me- mory is looking for additional code in the file, and finding that the file is corrupt, it starts looking for it on other disks. Or some- thing like that.) >1) What is the behavior of Jerusalem B? Does it do anything vile >other than infect all of the .COM and .EXE files that it can find (or >so I thought, see #2 below...)? If it gets into memory when the system date is a Friday the 13th, it will cause any file which is executed to be deleted. On any other date, after it has been in memory for 30 minutes, it will cause all activity to be slowed down and a rectangular region of the screen to be scrolled up by two lines. >2) ... Does Jerusalem B only infect programs that are invoked from the >command prompt while it is in memory? Or is it supposed to infect all >.COM and .EXE files that it finds? It infects all executable program files invoked while it is in memory, except COMMAND.COM. >3) Under what conditions does a multiple infection occur (one >executable file found to have multiple copies of the virus in it)? Whenever the file is an EXE file. >4) Are there many versions of Jerusalem B out in the world, making the >above questions inappropriate and/or difficult to answer? The total number of versions of the Jerusalem which have been reported is well over 10, but only the original version (what McAfee calls "Jerusalem-B" for some obscure reason) is very common. The multiple- infection bug has been removed in most of the later versions, and the slowdown and scrollup have been removed in some of them. Some ver- sions are much more destructive than the original. I might add that some of the information on this virus given in Patricia Hoffman's VSUMxxxx file is inaccurate, particularly the claims that it can survive a warm reboot and that the slowdown is by a factor of 10. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET