Jerusalem virus

1.2 The 1813 ("Jerusalem") Virus

One of the oldest PC-DOS viruses, and probably the most common, is the 1813 virus, also called (among other things) the Jerusalem, the Jerusalem-B, the Friday the 13th, the Black Friday, the Black Hole, the Morbus Waiblingen, and the sUMsDos. When a file infected with the 1813 virus is executed, the virus is loaded into memory, and any file executed via the DOS "execute program" function thereafter (until the next power-off or reboot) will be infected. This includes EXE and COM programs invoked from the DOS command line, as well as overlays (1) that are called by other programs. This technique of infecting things as they are used is one of the features that most of the currently-common viruses share. When an infected program is executed on Friday the 13th (any month, any year but 1987), it will erase programs that are executed, rather than infecting them.
1.2.1 Spread

The 1813 virus spreads from machine to machine by way of infected files; when an infected program travels (on diskette, over a LAN, by download from a host computer or bulletin board system, or otherwise) from one computer to another, the destination computer will become infected as soon as the infected program is executed. The virus has no power to spread between machines itself; it relies on people intentionally sharing software or machines in order to spread. Some common spread scenarios include:
Shared machines - If a computer is used by many different people, it can serve as a center of infection. If someone has run an infected program on the machine, the infection has probably spread to programs on the machine's hard disk; if other users bring their own programs on diskette and run them on the machine, those programs are likely to become infected, and the infection will be spread on diskette to other machines. Shared machines are therefore one important place to apply virus protection programs.
Shared diskettes - There are many diskettes that are routinely carried from machine to machine; these include diagnostic diskettes, product demos, and so on. If such a diskette becomes infected, the infection can quickly spread to many machines. Shared diskettes should therefore be protected; the most effective protection is a write-protect tab!
Popular programs - There are some programs (games, demos, animations, and so on) that are very popular; anyone who gets a copy of one of these programs is likely to want to pass it on (or at least show it off) to other people. If one of these programs becomes infected, the infection can spread quickly to many machines; users should therefore be educated in the dangers of running such programs without first employing virus detectors or other anti-virus measures.
LAN servers - If a program on a LAN server that is used by many workstations on the LAN becomes infected, a large percentage of workstations on the LAN can become infected very quickly (sometimes within an hour or two). Programs on LAN servers should be carefully checked for viruses, and LAN access controls for shared programs should be set up correctly. One common mistake is to have the LAN "logon" program in a place where anyone on the LAN can write to it; this setup means that if any workstation on the LAN becomes infected, the logon program will quickly become infected, and then every workstation that logs onto the LAN will immediately be infected. Properly maintained, LAN servers can be a good way to make virus-free programs available to many machines; set up incorrectly, they can be just the opposite!
1.2.2 Symptoms

In general, the most reliable symptom of a computer virus is an alert from a good anti-virus program. Machines properly protected by an anti-virus program should never experience the more serious symptoms of the virus! In any large organization or community, though, there will be at least a few machines not properly protected, and support people (Help Desks, Information Centers, repair groups, and so on) should be aware of symptoms that might mean a virus has infected an unprotected system. The 1813 virus is actually one of the more obvious of the common PC-DOS viruses. It has a number of intentional effects, and a number of bugs, which can cause infected systems to behave oddly even before the virus "activates" on Friday the 13th. The likely symptoms include:
Shortage of disk space and/or growth in size of programs (when the virus infects a file, it adds approximately 1813 bytes to the size of the file),
An occasional decrease in the apparent speed of the infected computer (users have described this as, for instance, "the machine suddenly started typing at 1200 baud"),
The scrolling or blanking of a small rectangular area in the upper left quadrant of the screen (the "black hole" effect),
The message "Program too big to fit in memory" when certain often-used EXE programs are run (due to a bug in the virus, it will continually re-infect most EXE programs, eventually causing them to be too large to run),
Malfunctioning of a few infected EXE programs: programs "lock up", or report unexpected error conditions or inability to load functions. (This is due to another bug in the virus that sometimes destroys part of the infected program.)
The first three of these symptoms are reasonably reliable signs of an infection; the last two can be from any of various causes. But in any case, checking a malfunctioning computer for known viruses with an anti-virus tool is generally a quick and easy process, and a useful addition to a support person's toolkit. Machines infected with the 1813 virus are often misdiagnosed as having software or hardware problems, leading to wasted time (as parts are replaced and tests run), and to the risk of spreading the infection via diagnostic diskettes.
1.2.3 Damage

The 1813 is not a particularly destructive virus. At the time it loads itself into memory, it asks DOS for the current date. If the day of the week is a Friday, the day of the month is 13, and the year is not 1987, the virus "activates". Once the virus has activated, any program executed via the DOS "execute program" call, described above, is erased. Users will generally notice this quite quickly (as all the programs they try to use turn out not to exist!), and it is not generally hard to recover from (programs can be re-installed from their original distribution diskettes, or re-created from source files). The fact that the virus is not intentionally very destructive does not mean that protection against it isn't cost-effective. Systems infected with the virus do not work very well, and are capable of spreading the infection beyond the immediate business or community. Cleanup is therefore necessary; the earlier the virus was detected, the simpler cleanup will be. Erasing a few infected files from one diskette is cheap; scanning and cleaning up hundreds of unprotected systems after the fact can be very expensive. When cleaning up after a memory-resident virus like the 1813 (and the other viruses discussed in this paper), it is vital to make sure that the virus is not in memory during the cleanup process! Otherwise the virus is likely to re-infect objects as they are cleaned up, and cleanup will not be successful. To ensure that no virus is active in memory, power off the infected system and reboot it from a write-protected diskette that is known to be free of viruses; then during cleanup use only programs that are known not to be infected.
1.2.4 Protection

The 1813 virus is relatively easy to detect and prevent, and virtually every commercial anti-virus product can deal with it. The virus makes no attempt to hide itself, and infected files are easily recognized as such by even the simplest known-virus scanner. Products which load into memory and block unauthorized attempts to alter programs are also generally successful against it. The fact that the virus is still so common is a sign that all too many machines still lack even the simplest protection against computer viruses.

similer
home