LLMpediaThe first transparent, open encyclopedia generated by LLMs

Jerusalem (computer virus)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Cascade (computer virus) Hop 4
Expansion Funnel Raw 54 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted54
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Jerusalem (computer virus)
NameJerusalem
AliasFriday the 13th
FamilyDOS virus
Isolation1987
OsMS-DOS
TypeFile and resident memory infector
Languagex86 assembly
Notable workCorrupting executable files, activation on Fridays

Jerusalem (computer virus) is a notable MS-DOS file-infecting and memory-resident virus first identified in the late 1980s that targeted executable files and activated destructive payloads on specific dates. The program became emblematic of early personal-computer malware incidents that affected software distribution, corporate computing, and security research across North America, Europe, and Asia. Its discovery spurred responses from antivirus vendors, academic researchers, and law-enforcement agencies, influencing detection techniques and policy discussions involving computing institutions and technology companies.

History and Origin

The virus was initially discovered in 1987 and associated with outbreaks reported by operators at University of California, Berkeley, New York University, and commercial bulletin-board systems linked to CompuServe, AOL, and regional computer clubs. Early analyses were performed by researchers at Eugene Kaspersky-era antivirus teams, staff at McAfee, and laboratories including CERT Coordination Center and private groups in Israel, United Kingdom, and Netherlands. Attribution efforts invoked investigations by law-enforcement units such as Federal Bureau of Investigation and national cybercrime units in Australia and Canada, though no definitive perpetrator prosecution was publicly confirmed. The outbreak coincided with increased distribution of shareware and pirated software on physical media, drawing attention from suppliers like Microsoft and hardware manufacturers including IBM and Compaq who observed infected binaries in retail channels.

Technical Description

Jerusalem is a polymorphic-capable DOS virus written in x86 assembly that infects '.COM' and '.EXE' executable files and installs a resident memory component using DOS interrupt hooks such as INT 21h. After execution, it hooks system services often referenced in technical reports from Symantec and F-Secure analysts, intercepting file-open and execute calls to replicate by appending or prepending infected code. The virus increments a counter on each execution and contains a payload triggered on Fridays that alters file operation behavior and may delete program contents. Its mechanism leverages low-level features of MS-DOS API semantics, chain-loading techniques familiar to developers at Borland and researchers at Bell Labs who studied executable formats. Jerusalem's infection strategy exploited bootstrapping and overlay handling in popular development environments such as Microsoft BASIC and Turbo Pascal used in commercial and academic software projects.

Variants and Evolution

Following the initial strain, numerous variants emerged with modifications to activation dates, file targeting, and obfuscation routines. Known families and revisions were cataloged by vendors at McAfee, Trend Micro, and Kaspersky Lab; some variants preserved the Friday triggering, others altered the destructive behavior or expanded to infect additional file types recognized by projects at FreeBSD ports and third-party utilities. The virus inspired derivative programs distributed via bulletin-board networks maintained by communities around FidoNet and software swap groups that included members from MIT, Stanford University, and European computer societies. Over time, routine polymorphism, encryption stubs, and altered interrupt hooking produced signatures that challenged signature-based engines in the era prior to heuristics developed at ESET and academic work at Carnegie Mellon University.

Impact and Incidents

Jerusalem-related incidents led to widespread file corruption in corporate and academic environments, affecting systems at institutions such as Harvard University computing labs and small businesses using retail software from vendors like Lotus and WordPerfect. Major outbreaks reportedly caused system downtime on Fridays, prompting emergency responses from IT departments at banks and manufacturing firms that relied on MS-DOS-based automation. Media coverage in publications like The New York Times and Wired highlighted the virus as a cautionary example of software distribution risks, influencing procurement and backup policies at organizations including municipal offices and research centers. Economic impact estimates by industry analysts at Gartner and IDC pointed to loss of productivity and remediation costs that propelled demand for commercial antivirus suites.

Detection and Removal

Detection approaches combined signature-based scanning, integrity checking, and behavioral heuristics developed by antivirus vendors and university labs. Tools from companies such as NortonLifeLock and Symantec incorporated pattern matches for Jerusalem's code sequences, while research prototypes at SRI International and Columbia University introduced memory residency scans and interrupt table verification. Removal techniques required disinfecting infected executables and clearing resident memory images via cold-boot procedures or the use of specialized utilities distributed on clean media by vendors and community groups like The Virus Bulletin readership. Best practices adopted by systems administrators at NASA and large enterprises included maintaining multiple backups, write-protecting floppies, and employing file-system monitoring solutions inspired by academic publications from University of Cambridge and ETH Zurich.

Legacy and Cultural References

Jerusalem's notoriety left an imprint on cybersecurity discourse, inspiring sections in textbooks by authors associated with O'Reilly Media and course material at institutions such as Massachusetts Institute of Technology and University of Oxford. The virus appears as a case study in documentaries produced by broadcasters like BBC and in retrospectives by technology journals including IEEE Spectrum. Its name and the Friday activation motif influenced later fictional portrayals of malware in novels and films distributed by companies like Penguin Books and studios referenced in popular culture analyses. The incident contributed to the maturation of the antivirus industry and informed regulatory conversations involving technology standards bodies such as IETF and professional associations including ACM.

Category:Computer viruses