Jerusalem.998

   
     _________________________________________________________________
   

                    - C.A.R.O. Analysis | Jerusalem.998 virus -


Name.............: Jerusalem.998
Aliases..........: None
Targets..........: COM, EXE
Resident.........: Low
Memory_Size......: 1280 bytes
Storage_Size.....: 998 (COM), 1088 + Rounding (EXE)
Where............: Prepending(COM), Appending(EXE)
Stealth..........: None
Polymorphic......: None
Tunneling........: None
Infectivity......: 4
Obviousness......: None
Commonness.......: 1
Commonness_Date..: 1995-05-18
Transient_Damage.: None
T_Damage_Trigger.: None
Permanent_Damage.: None
P_Damage_Trigger.: None
Side_Effects.....: If it is not the last TSR to hook interrupt 21h, on
                   executing infected COM programs it could cause a system
                   crash.
Infection_Trigger: Exec
                      AND
                   (Disk_Free_Space >= 1088)
                      AND
                   (FileName_Checksum  66h and
                    FileName_Checksum XOR 56h  0)
Msg_Displayed....: None
Msg_Not_Displayed: None
Interrupts_Hooked: 21/0E, 21/DD, 21/4B00, 24
Selfrec_In_Memory: INT 21h; AH = 0Eh -> AH = 3
Selfrec_On_Disk..: File[12h].WORD = 4B00h
Limitations......: None
Comments.........: File name checksum is performed on the last 8 letters,
                   converted in uppercase.
                   The virus does not infect EXE files with overlays.
Analysis_By......: Paolo Monti - AVP Technical support/sales (I.C.A.R.O)
Documentation_By.: Paolo Monti - AVP Technical support/sales (I.C.A.R.O)
Entry_Date.......: 1995-05-18
Last_Modified....: 1995-05-19
See_Also.........: Jerusalem Family
End..............:

   
     _________________________________________________________________
   
   &copy; Copyright 1995 Paolo Monti
   
   GV040695
