Hubbry Logo
Jerusalem (computer virus)Jerusalem (computer virus)Main
Open search
Jerusalem (computer virus)
Community hub
Jerusalem (computer virus)
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Jerusalem (computer virus)
Jerusalem (computer virus)
Jerusalem (computer virus)
View on Wikipedia
from Wikipedia
Jerusalem
Malware details
Aliass
  • Arab Star
  • Friday 13th
  • Israeli
TypeComputer virus
ClassificationUnknown
Technical details
PlatformDOS

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987.[1] On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM.[2] COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

The virus code itself hooks into interrupt processing and other low-level DOS services. For example, code in the virus suppresses the printing of console messages if, say, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".

The Jerusalem virus is unique among other viruses of the time, as it is a logic bomb, set to go off on Friday the 13th on all years but 1987 (making its first activation date 13 May 1988).[3] Once triggered, the virus not only deletes any program run that day,[4] but also infects .EXE files repeatedly until they grow too large for the computer.[5] This particular feature, which was not included in all of Jerusalem's variants, is triggered 30 minutes after the system is infected, significantly slows down the infected computer, thus allowing for easier detection.[5][6] Jerusalem is also known as "BlackBox" because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. Thirty minutes after the virus is activated, this rectangle scrolls up two lines.[5]

As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself, though the slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor's timer tick is activated.

Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the 'interrupt 21h' low-level DOS functions that Novell NetWare and other networking implementations required to hook into the file system.

Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.

Aliases

[edit]
  • 1808(EXE), due to the virus's length of 1808 bytes.
  • 1813(COM), due to the virus's length of 1813 bytes.[7]
  • Friday13th (Note: The name can also refer to two viruses that are unrelated to Jerusalem: Friday-13th-440/Omega and Virus-B), due to its trigger date of Friday the 13th.
  • Hebrew University, as it was discovered by students who attended Hebrew University.[1]
  • Israeli
  • PLO, due to a belief that it was created by the Palestine Liberation Organization to mark May 13, 1948, the day before Israel Independence Day, apparently the last day Palestine existed as a country.[7]
  • Russian
  • Saturday 14
  • sUMsDos, referencing a piece of the virus's code.[7]

Variants

[edit]
  • Get Password 1 (GP1): Discovered in 1991, this Novell NetWare-specific virus attempts to gather passwords from the NetWare DOS shell in memory upon user login, which it then broadcasts to a specific socket number on the network where a companion program can recover them. This virus does not work on Novell 2.x and newer versions.[5]
  • Suriv Viruses: Viruses that are earlier, more primitive versions of Jerusalem. The Jerusalem virus is considered to be based on Suriv-3, which is a logic bomb triggered when the date is Friday the 13th, switching off the computer on the 13th. In itself, Suriv-3 is based on its predecessors, Suriv-1 and Suriv-2, which are logic bombs triggered on April 1 (April Fools' Day), showing text reading "April 1, ha ha you have a virus!".[3] Suriv-1 infects .COM files and Suriv-2 infects .EXE files, while Suriv-3 infects both types of files. The name of these viruses comes from spelling "virus" backwards.[7]
  • Sunday (Jeru-Sunday): It was discovered in November 1989[8] after a number of simultaneous reports from Seattle, Washington, United States, and surrounding areas. Several other Seattle outbreaks, including AirCop, were later traced to Asia. Sunday is a standard patched Jerusalem variant in the way it infects files. It is a type of program file virus. It infects .EXE, .COM, and .OVL files. Like the original Jerusalem, infected files occasionally become corrupted. Sunday is less easily identified than the original Jerusalem, in part because of corrected errors and in part because its payload is poorly written and fails to execute. The capitalization of "Sunday" is reported variously as "Sunday" or "SunDay", and may depend on the variant. The WildList, an organisation tracking computer viruses, listed Sunday as spreading in various forms from shortly after the list was started until 1998.[9] Like all DOS viruses, Sunday suffered with the debut of Windows. It is now considered obsolete, although the virus was common enough that the use of previously dormant files has resulted in recent infections. However, anything other than a localised outbreak is unlikely.[citation needed]
    • COM and EXE files increase by size (1,636 bytes). COM files increase by a set amount, while EXE files increase by somewhere between that amount and 9 or 10 bytes less. Unlike the original Jerusalem, files will not be infected many times.
    • Interrupt 21 will be hooked.
    • Infected files will contain the string "Today is SunDay! Why do you work so hard? All work and no play make you a dull boy! Come on! Let's go out and have some fun!"
    • Because of an error in coding, the virus fails to execute its payload, intended to set off on Sundays of every year other than 1989. This is to print the previously indicated text on the screen and then delete all files run while the virus is memory resident, as the original Jerusalem did every Friday the 13th.
  • Variants of Sunday
    • Sunday.a: The original Sunday virus.
    • Sunday.b: A version of Sunday which has a functional program-deleting function.
    • Sunday.1.b: An improvement upon Sunday.b which fixes a bug regarding the Critical Error Handler, which causes problems on write-protected disks.
    • Sunday.1.Tenseconds: A variant on Sunday.a which maintains a 10 second delay between messages and sets Sunday as day 0 instead of day 7.
    • Sunday.2: A variant on Sunday.a which grows files by 1,733 bytes instead of the original 1,636 bytes.
  • Anarkia: Anarkia has a trigger date of Tuesday the 13th and uses the self-recognition code "Anarkia".[10]
  • PSQR (1720): PQSR infects .COM and .EXE files, but does not infect overlay files or COMMAND.COM. It causes infected .COM files to grow by 1,720 bytes and .EXE files by 1,719-1,733 bytes. It activates on Friday the 13th, and will delete any file run that day. Garbage is written to the master boot record and the nine sectors after the MBR. The virus uses "PQSR" as its self-recognition code, which is located at the end of the file.[11]
  • Frère: Frère plays Frère Jacques on Fridays.[5] It increases the size of infected .COM files by 1,813 bytes and .EXE files by 1,808-1,822 bytes, but does not infect COMMAND.COM.[12]
  • Westwood (Jerusalem-Westwood; Jeru.Westwood.1829) Westwood causes files to grow by 1,829 bytes. If the virus is memory-resident, Westwood deletes any file run during Friday the 13th.[13] The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard; it was discovered August 1990, in Westwood, Los Angeles, California. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run. Any file of COM, EXE, or OVL types is infected upon execution, except COMMAND.COM. The infection mechanism in Westwood is better-written than the original Jerusalem's. The original would re-infect files until they grew to ridiculous sizes. Westwood infects only once. As with most Jerusalem variants, Westwood contains a destructive payload. On every Friday the 13th, interrupt 22 will be hooked so that all programs executed on this date while the virus is memory resident will be deleted. Westwood is functionally similar to Jerusalem, but the coding is quite different in many areas. Because of this, virus removal signatures used to detect the original Jerusalem had to be modified to detect Westwood. Organizations such as Virus Bulletin used to use Westwood to test virus scanners for ability to distinguish Jerusalem variants. The WildList never reported Westwood as being in the field. However, its isolation was made after the virus had made infections in the community of Westwood. It is unknown how much Westwood spread outside California (with a few reports in neighbouring states), especially as Westwood is easily mis-diagnosed as Jerusalem. Since the advent of Windows, even successful Jerusalem variants have become increasingly uncommon. As such, Westwood is considered obsolete. Its properties include:
    • COM files executed will increase by 1,829 bytes in size; EXE and OVL files will increase by between 1,819 and 1,829 bytes.
    • Interrupts 8 and 21 will be hooked; on Friday the 13th, interrupt 22 will also be hooked.
    • Thirty minutes after the virus goes memory resident, the system will slow down, and a small black box will appear in the bottom left-hand corner of the machine, as common among most Jerusalem variants.
  • Jerusalem 11-30: This virus infects .COM, .EXE, and overlay files, but not COMMAND.COM. The virus infects programs as they are used, and causes infected .COM files to grow by 2,000 bytes and .EXE files to grow by 2,000-2,014 bytes. However, unlike the original Jerusalem virus, it does not re-infect .EXE files.[14]
  • Jerusalem-Apocalypse: Developed in Italy, this virus infects programs as they are executed, and will insert the text "Apocalypse!!" in infected files. It causes infected .COM files to grow by 1,813 bytes and .EXE to grow by 1,808-1,822 bytes. It can re-infect .EXE files, and will increase the size of already infected .EXE files by 1,808 bytes.[10]
  • Jerusalem-VT1: If the virus is memory-resident, it will delete any file run on Tuesday the 1st.[10]
  • Jerusalem-T13: The virus causes .COM and .EXE files to grow by 1,812 bytes. If the virus is memory-resident, it will delete any program run on Tuesday the 13th.
  • Jerusalem-Sat13: If the virus is memory-resident, it will delete any program run on Saturday the 13th.
  • Jerusalem-Czech: The virus infects .COM and .EXE files, but not COMMAND.COM. It causes infected .COM files to grow by 1,735 bytes and .EXE files to grow by 1,735-1,749 bytes. It will not delete programs run on Friday the 13th. Jerusalem-Czech has a self-recognition code and a code placement that differ from the original Jerusalem, and is frequently detected as a Sunday variant.[10]
  • Jerusalem-Nemesis: This virus inserts the strings "NEMESIS.COM" and "NOKEY" in infected files.[10]
  • Jerusalem-Captain Trips: Jerusalem-Captain Trips contains the strings "Captain Trips" and "SPITFIRE". Captain Trips is the name of the apocalyptic plague described in Stephen King's novel The Stand. If the year is any year other than 1990 and the day is a Friday on or after the 15th, Jerusalem-Captain Trips creates an empty file with the same name as any program run that day. On the 16th Jerusalem-Captain Trip re-programs the video controller, and on several other dates it installs a routine in the timer tick that activates when 15 minutes pass. Jerusalem-Captain Trips has several errors.[10]
  • Jerusalem-J: The variant causes .COM files to grow by 1,237 bytes and .EXE files by about 1,232 bytes. The virus has no "Jerusalem effects", and originates from Hong Kong.[5]
  • Jerusalem-Yellow (Growing Block): Jerusalem-Yellow infects .EXE and .COM files. Infected .COM files grow by 1,363 bytes and .EXE files grow by 1,361-1,375 bytes. Jerusalem-Yellow creates a large yellow box with a shadow in the middle of the screen and the computer hangs.[15]
  • Jerusalem-Jan25: If the virus is memory-resident, it will activate on January 25 and will delete any program run that day. Additionally, it does not re-infect .EXE files.[10]
  • Skism: The virus will activate on any Friday after the 15th of the month, and causes infected .COM files to grow by 1,808 bytes and infected .EXE to grow by 1,808-1,822 bytes. Additionally, it can re-infect .EXE files.[10]
  • Carfield (Jeru-Carfield): The virus causes infected files to grow by 1,508 bytes. If the virus is memory-resident and the day is Monday, the computer will display the string "Carfield!" every 42 seconds.[16]
  • Mendoza (Jerusalem Mendoza): The virus does nothing if the year is 1980 or 1989, but for all other years a flag is set if the virus is memory resident and if the floppy disk motor count is 25. The flag will be set if a program is run from a floppy disk. If the flag is set, every program which runs is deleted. If the flag is not set and 30 minutes passes, the cursor is changed to a block. After one hour, Caps Lock, Nums Lock, and Scroll Lock are switched to "Off". Additionally, it does not re-infect .EXE files.[10]
  • Einstein: This is a small variant, only 878 bytes, and infects .EXE files.[5]
  • Moctezuma: This variant virus is 2,228 bytes and is encrypted.[5]
  • Century: This variant is a logic bomb with trigger date of January 1, 2000 that was supposed to display the message "Welcome to the 21st Century". However, no one is sure as to the legitimacy of the virus, as no one has seen it.[5]
  • Danube: The Danube virus is a unique variant of Jerusalem, as it has evolved beyond Jerusalem and only reflects very few parts of it. This virus is a multipartite virus, so it has several methods by which it can infect and spread: disk boot sectors as well as .COM and .EXE files. Because of this, how the virus works is dependent upon the origin of the virus (boot sector or program). When a contaminated program is executed, the virus resides in memory, taking 5 kB. Additionally, it will check if it also resides in the active boot sector and will place a copy of itself there if it was not present before. When a computer is booted from a contaminated boot sector/disk, the virus will place itself in memory before the operating system is even loaded. It reserves 5 kB of DOS base memory, and reserves 5 sectors on any disk it infects.[5]
  • HK: This variant of Jerusalem originates from Hong Kong, and references one of Hong Kong's technical schools in its code.[5]
  • Jerusalem-1767: This virus infects .EXE and .COM files, and will infect COMMAND.COM if it is executes. It causes .COM files to grow by 1,767 bytes and .EXE to grow by 1,767-1,799 bytes. Infected files include the strings "**INFECTED BY FRIDAY 13th**" or "COMMAND.COM".[17]
  • Jerusalem-1663: This virus infects .EXE and .COM files, including COMMAND.COM. Once memory resident, it infects programs as they are run. It causes .COM and .EXE files to grow by 1,663 bytes, but it cannot recognize infected files, so it may re-infect both .COM and .EXE files.[18]
  • Jerusalem-Haifa: This virus infects .EXE and .COM files, but not COMMAND.COM. It causes .COM files to grow by 2,178 bytes and .EXE files to grow by 1,960-1,974 bytes. Its name is due to the Hebrew word for Haifa, an Israeli city, being in the virus code.[19]
  • Phenome: This virus is similar to the Apocalypse variant, but will infect COMMAND.COM. It only activates on Saturdays, and does not allow the user to execute programs. It features the string "PHENOME.COM" and "MsDos".[10]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Jerusalem (computer virus)

View on Grokipedia
from Grokipedia
The Jerusalem virus, also known as the Friday the 13th virus or Israeli virus, is a pioneering memory-resident that targeted systems, first detected in October 1987 at the by computer specialist Yisrael Radai. It infects executable (.COM and .EXE) files by appending 1,813 bytes to .COM files or prepending 1,792–1,808 bytes to .EXE files, becoming resident in memory to propagate stealthily while avoiding reinfection of critical system files like . The virus's payload includes system slowdowns—reducing performance by up to 80% or 10 times after 30 minutes of residency—and visual disruptions like scrolling black rectangles on screen, but its most notorious feature is a that activates on every from onward, deleting the contents of any executed program. This destructive behavior, combined with its rapid spread via infected software distributed on floppy disks, led to widespread infections in academic and professional environments during 1988, marking one of the first global virus epidemics and spurring the development of early antivirus tools. Numerous variants emerged, including the "1813" or Jerusalem-B strain with altered signatures like "URI2V21," April Fools' versions that crash systems with humorous messages on April 1st, and others that modified infection triggers or added stealth mechanisms, though the core family retained the original's file-infection and Friday the 13th payload. Its origin remains uncertain but is widely attributed to , possibly as a experiment or prank, and it highlighted vulnerabilities in early PC ecosystems, influencing cybersecurity practices and contributing to the antivirus industry's growth in the late 1980s.

Overview

Description

The Jerusalem virus is a memory-resident file infector that targets executable files on systems, specifically .COM and .EXE files on PC compatibles. Upon execution of an infected file, the loads itself into memory and remains resident, enabling it to infect other executables accessed thereafter while checking to avoid reinfecting already compromised files—though early versions had a bug causing repeated infections of .EXE files. It infects executable files by inserting its code, increasing the size of .COM files by 1,813 bytes and .EXE files by 1,808 to 1,822 bytes depending on header alignment. The original strain of the virus is non-polymorphic, relying on straightforward code replication without or , though some later introduced polymorphic elements such as instruction reordering or simple to evade detection. Designed exclusively for environments, it spreads through file execution and network shares common in academic and professional settings during the late . Its primary payload activates as a on Fridays the 13th (except in 1987), deleting non-system program files such as .EXE and .COM executables while sparing to maintain system functionality. This destructive trigger, combined with the virus's stealthy residency, contributed to its widespread impact, first noted at the , and led to the proliferation of numerous variants over time.

Aliases

The Jerusalem computer virus has been referred to by several primary aliases, including the "Friday the 13th virus," a name derived from its logic bomb payload that activates and deletes executable files on Fridays the 13th. It is also commonly known as the "Israeli virus" or simply "Israeli," reflecting its presumed origin in Israel, and as the "Hebrew University virus," after the location of its initial discovery at the Hebrew University of Jerusalem. Additional early aliases include "Suriv 3.00," the internal name used by its creators, and "1813," based on the 1,813-byte length of its COM file variant. Antivirus vendors have employed variant-specific detection names to identify infections, such as "" by for the original strain and "" for a modified version detected in . These aliases generally stem from the virus's behavioral characteristics, geographic associations, or metrics, with naming conventions varying by vendor to facilitate precise detection and reporting. It is important to distinguish the original family from unrelated later sharing the "Jerusalem" moniker, such as certain Trojans that emerged in the and do not share its file-infection mechanism.

History

Discovery

The Jerusalem virus was first detected in late 1987 at the in , where computer science students Yuval Rakavy and Mann noticed unusual behavior in their systems while running certain programs. Researchers at the university, including the prominent virus expert Yisrael Radai, quickly investigated and confirmed the presence of a self-replicating program infecting executable files. Radai, a professor at the institution, played a key role in the initial identification, reporting on the virus in early 1988 and contributing to early understandings of its mechanics. Initial symptoms included a noticeable slowdown in system performance after the virus loaded into memory, often accompanied by files increasing in size due to appended code, which eventually led to corruption and instability on affected machines. These effects were observed primarily on academic computers, where the virus interfered with routine operations, prompting urgent analysis by the university's computing staff. Early documentation of the threat drew on foundational work by virus researchers such as Fred Cohen, who had pioneered theoretical models of computer viruses in the early 1980s, providing a framework for dissecting the Jerusalem strain's propagation. Additionally, German researcher Bernd Fix had already developed one of the earliest antivirus tools in early to combat similar file-infecting threats, influencing responses to this emerging . The virus earned its name directly from the location of its discovery—the Hebrew University in , —highlighting its ties to the academic environment where it first surfaced. By December 1987, early reports confirmed its spread through floppy disks exchanged within academic networks, as university systems showed widespread infection patterns that disrupted file access and operations. This rapid dissemination via underscored the vulnerabilities in early networked settings, leading to immediate efforts by the affected institution to isolate and document the threat.

Origin and Initial Spread

The Jerusalem computer virus is believed to have been created in 1987, during the nascent era of malware following the release of the virus in 1986. It emerged in an academic context characterized by widespread sharing of floppy disks containing software among university users, a common practice that facilitated early viral propagation. Although no author has been definitively identified, strong evidence points to its development by one or more students or hackers at the , possibly as an experimental project rather than a malicious tool. The virus's initial spread began within Israeli academic circles, likely originating from infected executable files distributed via floppy disks at the Hebrew University, where it was first detected in late 1987. Transmission primarily occurred through the exchange of and programs, such as games and utilities, on these disks, which allowed the virus to infect .COM and .EXE files unnoticed during copying processes. By early 1988, it had propagated beyond through international academic and research networks, reaching universities and institutions in and . This rapid geographic expansion was aided by the era's reliance on for , as email attachments were not yet a viable vector due to limited connectivity. The virus quickly gained traction in educational environments, where floppy disk sharing among students and researchers mirrored the collaborative yet unsecured nature of early computing.

Technical Details

Infection Mechanism

Upon execution of an infected file, the Jerusalem virus loads itself into memory as a terminate-and-stay-resident (TSR) program, occupying approximately 1,808–1,813 bytes (about 1.8 KB) of space. It achieves memory residency by hooking interrupt 21h (INT 21h) to intercept and monitor DOS file access and execution functions (such as function 4B00h for program execution), and interrupt 8h (INT 8h, the timer interrupt) for payload effects, enabling it to infect files during subsequent operations without needing to be explicitly run again. The virus selectively targets .COM and .EXE executable files. To avoid reinfecting files, it checks for specific virus signature strings such as "sUMsDos" or "sURIV" within the file; if present, the file is skipped. This marker ensures the virus does not append multiple times to the same file. For .COM files, the virus adds 1,813 bytes to the end while overwriting the original first three bytes with a 0xE9 jump instruction that redirects execution to the viral code upon launch; the original bytes are stored within the virus for restoration after the host program runs. For .EXE files, it appends 1,792–1,808 bytes to the end of the file and updates the entry point address in the header to point to the virus; it does not adjust the checksum. These modifications preserve the file's executability, time, date, and attributes, making the infection less immediately detectable. Self-protection mechanisms include avoiding infection of critical system files such as to prevent boot failures or system instability, as well as skipping the virus's own to avoid self-modification errors. Additionally, the virus limits the number of infections per session—typically to a small number—to minimize excessive file growth that could alert users or trigger detection through disk space anomalies. Propagation occurs opportunistically whenever an uninfected file in the current directory or along the PATH is executed, allowing the virus to spread silently through routine user activities. This mechanism facilitated rapid dissemination via shared floppy disks in the pre-network era, and later through early local area networks, as infected files could transfer the to new systems without additional user intervention.

Payload and Effects

The primary payload of the Jerusalem virus activates exclusively on , deleting the body of any executed .COM or .EXE files—except for —while preserving the file headers, rendering the programs unusable without any on-screen warning. This destructive action is triggered by the virus querying the system date through DOS interrupt 21h (function 2Ah) to verify if the day is the 13th and the weekday is . Beyond this logic bomb, the virus exhibits non-destructive effects that degrade system performance, including progressive file size inflation from repeated infections—particularly .EXE files due to a bug in self-recognition—which can exhaust available disk space over time. Its memory-resident component, hooking the timer interrupt (INT 8h) to insert CPU-wasting loops, contributes to overall slowdowns, with the system potentially operating at approximately one-fifth of normal speed after about 30 minutes of residency. Additionally, during this period, the virus may cause the screen to scroll upward by two lines in , accompanied by the display of a small black rectangle. Infected files are susceptible to instability due to flaws in the virus's ; for example, a bug in the self-recognition routine allows . files to be over-infected, often resulting in crashes upon execution or during relocation attempts by . The virus lacks or sophisticated stealth mechanisms, relying solely on rudimentary checks during infection to avoid self-reinfection. Users faced severe immediate consequences from these effects, including the permanent loss of critical programs and , which typically required full reinstallation from clean floppy disks or media in an era predating routine backups and robust recovery tools.

Variants

Major Variants

The virus family includes numerous variants that emerged primarily in the late and early , adapting the original's file- mechanism while introducing modifications to evasion, , or infection scope. One of the earliest significant strains, Jerusalem-B (also known as the 1813 variant), appeared in early and addressed a flaw in the original by eliminating repeated infections of . files, resulting in a slower but more stable spread; it retained the memory-resident behavior and deletion payload, infecting both .COM and . files while adding approximately 1,813 bytes to .COM files and 1,808 bytes to . files. Jerusalem-C, also from 1988, removed the original's system slowdown effect—such as the screen-scrolling delay after 30 minutes of runtime—to reduce detectability, while maintaining infection of and files and the core . In 1989, Jerusalem-D emerged as a memory-resident variant that infects and files, featuring an altered that targeted the (FAT) for destruction starting in 1990, without the original slowdown effects, thereby increasing potential data loss. Among later strains, the Sunday variant (circa 1988–1989) modified the trigger to activate on , displaying a message discouraging work on the , while preserving file infection of .COM and .EXE files with sizes around 1,631–1,636 bytes. The Danube variant, a multipartite evolution from the late , extended infections to boot sectors in addition to .COM and .EXE files, using about 5 KB of memory as a , though it contained bugs like failure to infect 360 KB diskettes and parameter corruption. Other notable variants include the Einstein strain, which at 878 bytes infects only .EXE files, and the Moctezuma variant, an encrypted strain approximately 2,228 bytes long. Most variants shared the core trait of parasitic file infection on DOS systems, with code sizes typically ranging from 1,200 to 2,000 bytes, and some remained compatible with early Windows environments like through DOS emulation; by 2000, antivirus records documented dozens of such derivatives.

Evolution and Differences

The Jerusalem virus, first detected in 1987, underwent significant evolution in its early years, transitioning from a rudimentary memory-resident infector to more sophisticated multi-file targeting mechanisms. Initially, the original strain primarily appended itself to .COM and files but suffered from bugs that led to repeated infections of the same files, making it easily detectable through anomalies and degradation. By 1988-1989, variants emerged that addressed these flaws, shifting toward infecting multiple file types more selectively and incorporating basic stealth techniques, such as masking file length changes to evade early antivirus scanners. These adaptations were responses to the growing awareness and detection tools in academic and research environments, where the virus had spread via floppy disks. In the mid-1990s, as environments persisted alongside emerging Windows systems, Jerusalem variants continued to evolve primarily within DOS constraints, with some introducing alternative activation triggers beyond the original payload. For instance, certain strains replaced the destructive file deletion with less aggressive effects, such as displaying messages on specific dates like Sundays or January 1, 2000, focusing more on replication than overt damage to prolong undetected spread. The virus's reliance on DOS interrupts limited its functionality on 32-bit Windows systems, resulting in minimal impact beyond DOS emulation environments. Some later variants incorporated routines, such as the Moctezuma strain, to alter code signatures and avoid pattern-based detection. Key differences from the original Jerusalem strain across its family include variations in severity and stealth capabilities, with over 350 documented variants by the late DOS era, unified by a core code signature despite these modifications. Many reduced destructiveness by omitting file erasure in favor of benign replication or non-lethal , allowing broader without immediate user alarm. By the early 2000s, the Jerusalem family's evolution stalled due to the obsolescence of 16-bit DOS support in modern operating systems like and beyond, rendering its infection routines incompatible. This decline was exacerbated by the shift in malware focus toward network-aware worms and macro viruses, which better exploited connectivity and office applications, leaving Jerusalem variants confined to legacy systems.

Impact and Legacy

Notable Incidents

The initial outbreak of the Jerusalem virus took place at the Hebrew University of Jerusalem in late 1987, where it infected dozens of computers on campus, causing noticeable slowdowns and requiring students and staff to investigate and remove it. In 1988, the virus triggered its first major global epidemic, spreading rapidly through floppy disk exchanges in academic and professional networks to infect thousands of PCs across Israel, Europe (including UK universities and British Rail systems), and US firms. This outbreak, which activated the virus's destructive payload—deleting executable files—on Friday, May 13, represented the first widespread international computer virus incident, prompting urgent warnings within research communities. By 1989, further incidents included a significant activation on Friday, January 13, affecting large corporate sites, a small PC hardware vendor in the UK, and individual users, alongside a minor outbreak at the Royal National Institute for the Blind in London that impacted four computers but garnered media attention for potential data loss. The virus also reached government offices in various countries, contributing to its widespread infections primarily through academic and floppy-based sharing. In the 1990s, variants of the Jerusalem virus continued to circulate, with reports of infections in Asian networks, but no large-scale outbreaks occurred after 2000 as the rise of modern operating systems rendered the DOS-based malware obsolete.

Antivirus Development and Significance

The emergence of the Jerusalem virus in late 1987 prompted rapid advancements in early antivirus software, as its widespread infection of executable files necessitated targeted detection and removal tools. In response to the virus's outbreaks, British programmer Alan Solomon developed Dr. Solomon's Anti-Virus Toolkit in 1988, one of the first commercial antivirus solutions capable of identifying and repairing infections in MS-DOS systems. This toolkit employed signature-based scanning to detect the virus's unique code patterns in .EXE and .COM file headers, setting a foundational approach for subsequent antivirus programs that focused on pattern matching to quarantine threats before activation. The virus's proliferation significantly influenced the growth of the antivirus industry, accelerating the expansion of established firms and the creation of new ones. John McAfee's company, founded in 1987 to combat earlier threats like the virus, saw substantial growth following the Jerusalem epidemic, as demand surged for reliable scanning software amid reports of infections in thousands of systems worldwide. This event underscored the limitations of basic file checks, highlighting the need for memory-resident antivirus scanners that could monitor system activity in real-time to prevent stealthy infections like Jerusalem's, which hid in RAM after initial execution. By 1989, major vendors including had released their own tools, such as version 1.0 of the IBM Antivirus program, further standardizing proactive defense mechanisms. Historically, Jerusalem marked a pivotal shift in malware evolution, transitioning from benign experiments like the 1982 —designed as a proof-of-concept on systems—to overtly destructive code with real-world consequences, particularly in academic environments where shared networks amplified its spread. Detected initially at Hebrew University, it caused one of the earliest major epidemics in , infecting enterprises, government offices, and universities across multiple countries and disrupting operations through file deletions on trigger dates. This incident emphasized the malicious intent behind viruses, spurring global awareness and regulatory discussions on computer security. In terms of legacy, the virus contributed to the adoption of location-based in , as its moniker derived directly from its discovery site in , a practice that became standard under schemes like the Computer Antivirus Research Organization (CARO) guidelines to facilitate consistent identification among researchers. It remains a benchmark in cybersecurity for illustrating MS-DOS-era vulnerabilities, such as the risks of file infections and logic bombs. As of 2025, Jerusalem samples are preserved in malware zoos—curated collections maintained by firms like for research and analysis—though active detections are rare, confined mostly to emulated legacy environments due to its incompatibility with .

References

  1. http://users.uoa.gr/~nektar/science/technology/a_brief_history_of_viruses.htm
  2. https://www.cs.umd.edu/class/spring2018/cmsc414-0101/papers/3viruses.pdf
  3. https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1794&context=cstech
  4. http://umcs.maine.edu/~cmeadow/courses/cos335/Asm-Virus.pdf
  5. https://www.f-secure.com/v-descs/jerusale.shtml
  6. https://www.cknow.com/cms/vtutor/chapter-6-lehigh-jerusalem.html
  7. https://wiw.org/~meta/vsum/view.php?vir=698
  8. https://encyclopedia.kaspersky.com/knowledge/year-1987/
  9. https://securelist.com/once-upon-a-time/30090/
  10. http://virus.wikidot.com/jerusalem
  11. https://securelist.com/category/malware-descriptions/
  12. https://www.cybereason.com/blog/malicious-life-podcast-the-jerusalem-virus-part-1
  13. https://www.jta.org/jewniverse/2014/the-israeli-who-put-your-virus-under-the-microscope
  14. https://www.virusbulletin.com/virusbulletin/2015/09/throwback-thursday-virus-writer-and-distributors-attributable-viruses-july-1990/
  15. https://encyclopedia.kaspersky.com/knowledge/year-1988/
  16. https://www.virusbulletin.com/uploads/pdf/magazine/1991/199101.pdf
  17. https://www.giac.org/paper/gsec/2538/evolution-computer-virus/104385
  18. https://www.retromobe.com/2017/10/jerusalem-virus-1987.html
  19. https://www.antiy.net/media/slides/malware-evolution_slide.pdf
  20. https://www.techdogs.com/td-dictionary/word/jerusalem-virus
  21. https://www.csmonitor.com/1988/0714/amark.html
  22. https://seclists.org/funsec/2005/q4/889
  23. https://www.upi.com/Archives/1991/12/13/Jersalem-computer-virus-new-Friday-13th-fear/3943692600400/
  24. https://bontchev.nlcv.bas.bg/papers/naming.html
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.