Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Jerusalem

Jerusalem is a rather large family of viruses. Common characteristic of these viruses is that they are all memory resident COM and EXE infectors attacking files at their execution but they never attack COMMAND.COM. There are a lot of variants differing in length, in text that they write or contain, and in various damage they cause. The classical virus Jerusalem, known also under the name Friday 13th, infects COM files by allocating a block of memory which it specifies as system memory and into which it moves its copy. Behind this copy the virus then reads in the file which it infects. Finally it adds 5 bytes which serve as protection from attacking the file again. After that the virus writes the result of this activity to the disk. In case of EXE files it writes itself to the end of the file but it forgets to add the “signature” and so it can happen that the same file will be attacked repeatedly. In addition to the interrupt INT 21h the virus hooks also INT 8h which is the system timer interrupt and is being generated 18.2 times per second. 30 minutes after the infected program was started the virus begins to slow down the computer. It does so by executing an empty cycle at each INT 8h service. In the left bottom corner of the screen a black window is displayed. On Friday 13th the virus presents itself in much more unpleasant way – each program executed in the system will be deleted and for that reason the operating system will not find the file. As result the message 'File not found' is displayed.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.