Jerusalem (computer virus)

Jerusalem
Alias
  • Arab Star
  • Friday 13th
  • Israeli
TypeComputer virus
ClassificationUnknown
Technical details
PlatformDOS
Preview warning: Page using Template:Infobox computer virus with unknown parameter "Fullname"

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987.[1] On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM.[2] COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

The virus code itself hooks into interrupt processing and other low-level DOS services. For example, code in the virus suppresses the printing of console messages if, say, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".

The Jerusalem virus is unique among other viruses of the time, as it is a logic bomb, set to go off on Friday the 13th on all years but 1987 (making its first activation date 13 May 1988).[3] Once triggered, the virus not only deletes any program run that day,[4] but also infects .EXE files repeatedly until they grow too large for the computer.[5] This particular feature, which was not included in all of Jerusalem's variants, is triggered 30 minutes after the system is infected, significantly slows down the infected computer, thus allowing for easier detection.[5][6] Jerusalem is also known as "BlackBox" because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. Thirty minutes after the virus is activated, this rectangle scrolls up two lines.[5]

As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself, though the slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.

Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell NetWare and other networking implementations required to hook into the file system.

Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.

  1. ^ שלומי, רועי (2006-02-02). "מבט לאחור: הווירוס הישראלי הראשון". ynet (in Hebrew). Retrieved 2019-03-10.
  2. ^ "Jerusalem". ESET. Retrieved 9 February 2013.
  3. ^ "Episode 35 - The Jerusalem Virus - Malicious Life Podcast". Malicious Life. Retrieved 2019-03-10.
  4. ^ "Jerusalem,1808". Symantec. Archived from the original on April 3, 2019. Retrieved 2019-03-10.
  5. ^ a b c "Jerusalem Description | F-Secure Labs". www.f-secure.com. Retrieved 2019-03-10.
  6. ^ "JERUSALEM - Threat Encyclopedia - Trend Micro US". www.trendmicro.com. Retrieved 2019-03-27.