5 September 1990

David,
      I thought that you may want to see this....Please read it carefully
      and compare notes on what you have and what you have documentation
      for. Please get back to me as soon as possible to discuss the
      situation. This is an analysis that I did today on the strain that I
      D/L'ed from the NCSA Board....Go figure.   ,-)

                                               -Paul


===============================================================================


This analysis was preformed under the following circumstances:


Test machine:  AT 80286 Turbo Clone, Phoenix ROM-BIOS version 3.30, 1Mb RAM
               (640 base, 384 extended), Seagate ST-225 21Mb Hard Dirve and
               High Density (1.2 Mb) 5.25", 360 Kb Floppy Drive.

Operating Sytem: Ms-DOS version 4.01

Memory Mapping Utility: Central Point Software, Inc.,
               "Memory Info", version 5.24

Notes:         Clean, uninfected "goat" files (ie. .COM and .EXE) were
               introduced into the viral environment for testing purposes.
               The entire testing process is documented, in case you have
               any particular questions.
               McAfee Associates ViruScan version 66b identifies this virus
               as Jerusalem B, but the differences in replication are
               substantial enough to warrant a separate strain
               classification. Comments, etc. are most certainly welcome.


===============================================================================


Virus: Jerusalem-DC
-----  ------------

       (Note - Yep, I stuck the DC strain-tag on this one..it does not possess
       the same characteristics of any other of the documented strains,
       although McAfee's ViruScan ID's it as J-B...  -Paul)

Observations:
-------------

When an infected file is initially executed, the virus loads TSR. This can be
observed with a memory mapping utility (see above). This also reveals that
the infected file <name> has been loaded next TSR. It should also be
annotated at this point that the program that was used to view memory at
this point has, too, become infected. File size increases are as follows:

   .COM files - 1813 bytes and will only be infected once. COMMAND.COM will
                not become infected.

   .EXE files - 1820 bytes initially; 1808 bytes upon each subsequent
                infetion. (This seems almost inversely proportional to the
                description of Spanish JB, or Jerusalem E2.)

The "Black Box" effect is still apparent approx. 1/2 hour after the virus
is loaded TSR, as it is in the original J-B virus. The usual text string
"uSMsDOS" is not present in this strain.



        Please direct any (more detailed) questions via message to:

                The National Computer Security Association

                                NCSA BBS,
                             Washington, DC.
                             (202) 364-1304
                          300/1200/2400 at 8,N,1

                 (Preferrably within the VIRUS Conference.)