Jerusalem (computer virus)


Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some.EXE files are infected but do not grow because several overlays follow the genuine.EXE file in the same file. Sometimes.EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.
The virus code itself hooks into interrupt processing and other low level DOS services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".
The Jerusalem virus is unique among other viruses of the time, as it is a logic bomb, set to go off on Friday the 13th on all years but 1987. Once triggered, the virus not only deletes any program run that day, but also infects.EXE files repeatedly until they grow too large for the computer. This particular feature, which was not included in all of Jerusalem's variants, is triggered 30 minutes after the system is infected, significantly slows down the infected computer, thus allowing for easier detection. Jerusalem is also known as "BlackBox" because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. Thirty minutes after the virus is activated, this rectangle scrolls up two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself, though the slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell NetWare and other networking implementations required to hook into the file system.
Jerusalem was initially very common and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.

Aliases