Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

J&M

J&M.A

This is a simple boot virus. Upon an attempt (even an unintentional one) to load system from a diskette the virus moves itself into 2 kilobytes on the top of the conventional memory. It infects MBR (Master Boot Record) of the hard disk and stores the original sector on cylinder 0, side 0 and sector 6. It identifies itself so that it searches for characters “J&” in MBR on offset 1BBh. The string “J&M” is located there and from it also the virus name is derived. The virus checks the interrupt INT 13h calls and when an uninfected diskette is inserted into the drive it infects it. Upon doing it the virus moves the original boot sector of the diskette to cylinder 1, side 0, sector 14. The virus tests the date and on November 15th it formats the zero side of the first hard disk (disk C:), i.e. the side where it has stored the original booting sector. With hard disks it means damaging of the disk partition table. On the diskette the virus contains at its end strings from the original boot sector: “Replace and press any key when ready” and “IO SYSMSDOS SYS” and thanks to them it is able to “survive” a casual check by some utilities. This virus was first seen in the year 1993 and the press started a huge hysterical campaign about it. Paradoxically, the virus comes probably from Slovakia but was spread first in Czech Republic where it was given name Hasita or Jimmi. As a final word just the fact that J&M has been a very successful boot virus. It still appears, and also abroad (for example in Great Britain in 1996).

J&M.B

The first change when compared to the original is that several instructions in the decryptor were altered. As result this variant is not necessarily detected by anti-virus programs which were able to detect the original version. As the second change one byte was altered in the encrypted virus body. It causes that the virus is activated on April 15th instead of November 15th.

JM.C

This variant contains several minute changes. There is a change in the decryptor and in the amount of occupied memory. The destruction routine is the same as in the original but the date of activation was changed to November 12th. On the offset 1BB is the encrypted string “R&Z” and its first two bytes control the infection.

J&M.D

The destructive routine of this variant is never activated.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.