💾 Archived View for spam.works › mirrors › textfiles › virus › jeru-dc.vir captured on 2023-06-16 at 21:03:15.
-=-=-=-=-=-=-
5 September 1990
David,
I thought that you may want to see this....Please read it carefully
and compare notes on what you have and what you have documentation
for. Please get back to me as soon as possible to discuss the
situation. This is an analysis that I did today on the strain that I
D/L'ed from the NCSA Board....Go figure. ,-)
-Paul
===============================================================================
This analysis was preformed under the following circumstances:
Test machine: AT 80286 Turbo Clone, Phoenix ROM-BIOS version 3.30, 1Mb RAM
(640 base, 384 extended), Seagate ST-225 21Mb Hard Dirve and
High Density (1.2 Mb) 5.25", 360 Kb Floppy Drive.
Operating Sytem: Ms-DOS version 4.01
Memory Mapping Utility: Central Point Software, Inc.,
"Memory Info", version 5.24
Notes: Clean, uninfected "goat" files (ie. .COM and .EXE) were
introduced into the viral environment for testing purposes.
The entire testing process is documented, in case you have
any particular questions.
McAfee Associates ViruScan version 66b identifies this virus
as Jerusalem B, but the differences in replication are
substantial enough to warrant a separate strain
classification. Comments, etc. are most certainly welcome.
===============================================================================
Virus: Jerusalem-DC
----- ------------
(Note - Yep, I stuck the DC strain-tag on this one..it does not possess
the same characteristics of any other of the documented strains,
although McAfee's ViruScan ID's it as J-B... -Paul)
Observations:
-------------
When an infected file is initially executed, the virus loads TSR. This can be
observed with a memory mapping utility (see above). This also reveals that
the infected file <name> has been loaded next TSR. It should also be
annotated at this point that the program that was used to view memory at
this point has, too, become infected. File size increases are as follows:
.COM files - 1813 bytes and will only be infected once. COMMAND.COM will
not become infected.
.EXE files - 1820 bytes initially; 1808 bytes upon each subsequent
infetion. (This seems almost inversely proportional to the
description of Spanish JB, or Jerusalem E2.)
The "Black Box" effect is still apparent approx. 1/2 hour after the virus
is loaded TSR, as it is in the original J-B virus. The usual text string
"uSMsDOS" is not present in this strain.
Please direct any (more detailed) questions via message to:
The National Computer Security Association
NCSA BBS,
Washington, DC.
(202) 364-1304
300/1200/2400 at 8,N,1
(Preferrably within the VIRUS Conference.)