J-Infect

Virus Name: J-Infect

Virus Type: Memory Resident, File Infector Virus (.COM and .EXE files)

Virus Length: 12080 bytes

PC Vectors Hooked: INT 21h

Executing Procedure:
1) This is similar to the "JERUSALEM" virus in that it infects the same kinds of files.

Detection Method: Infected file length will increase by 10280 bytes.


Jers-Zero-Aust.A

Virus Type : File Virus

Virus Length : 2000 bytes

Trigger Condition :Year must be 1992 up, Day must be Friday

Virus Reinfect Type :doesn't reinfect

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus obviously is a softmice type, having to encrypt CS:[SI] or 114C:[11E] to 114C:[7AD] by XOR it to 0Eh, then encrypt CS:[SI] again but this time it's from 115C:[EB] to 115C:[159], XOR it from 1Eh, IEh increments by 1, it loops until 6Fh. Then it saves the ES which is 114C to 4 different locations. Then it adds 10h to 114Ch and saves it in CS:[0115] by adding what is stored in it and also in CS:[0111]. Then it replaces the data stored in DS:SI to ES:DI which are the same. No replacement were made. Then it modifies the allocated memory, BX=9Bh and ES=114Ch. Gets interrupt vector hooking Int. 21, then sets it. Gets Date having to check if the year is 1992 up and the day is Friday; next, it frees allocated memory then gets child process; lastly, it terminates and stays resident.

In memory, the virus infects any COM and/or EXE files. Doesn't load itself when the virus is already in memory.

 


Jerusalem

Virus Name: Jerusalem

Aliases: Israeli, Jerusalem.1808.Standard, 1808, Israeli, 1813 Jeru-3-3, Jerusalem.1808.Critical.

Virus Type: File Infector (.COM and .EXE files)

Virus Length: 1,808 to 1,822 bytes

Interrupt vectors hooked: INT 21h, INT 08h

Infection method: When an infected file runs, the virus loads itself in memory and infects any file that executes, except the .COMMAND.COM file. The virus increases the size of .EXE files by 1,808-1,822 bytes on the first infection and 1,808 bytes with each reinfection. Infected .COM files increase by 1813 bytes.

Damage: On a Friday the 13th, after the virus has been resident for 30 minutes, it deletes files that are executed. On other days, the virus slows down the system 30 minutes after each infection. It also wipes out an area of the screen, although nothing is displayed. A bug in the virus can cause .EXE files to be infected repeatedly until they become too large to execute.


Jerusalem.1244

Virus Type : File Virus

Virus Length : 1456 bytes

Virus Reinfect Type : doesn't reinfect

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h, Int 8h

Infection Procedure:

1) Modifies the allocated memory, BX=5Eh and ES=114Ch then gets the interrupt vector, hooking int 21h, sets it and get interrupt vector, this time hooking int 8h then sets it.

2) It gets the date and checks whether the date is January 1; if date is January 1 it moves a value of 0h to DS:[0003]; if not, just compare it immediately to DS:[0003].

3) It gives back the address 114ch to ES then gets the data stored in ES:[2C] placed in ES. Then it frees allocated memory, ES=1043 paragraph address of the start of the memory block. Lastly, it gets child's return code and terminate and stay resident.


Jerusalem.1500

Virus Type : File Virus

Virus Length : 2160 bytes

Virus Reinfect Type :doesn't reinfect

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

It sets a new date for the system but the specified date is an incorrect value. Then it modifies the allocated memory BX=80h and ES=114Ch.

 


JOS

Virus Type : File Virus

Virus Infect Type : MBR

Infection Procedure:

It first moves 21CDh in DS:[FE], 14EBh in DS:[100] and 17h in DS:[11E]. Then it loads/executes a program having the control block = 114C:11E and ASCIIZ command line = 114C:0. Upon doing this, the execution is unsuccessful. Then it writes character in teletype mode having 1Eh as the graphics mode, page 1. Displaying :

"Beware the Jabberwock, my son!"
"The jaws that bite, the claw that catch!"
"And hast thou slain the Jabberwock!"
"Come to my arms, my beamish boy!"

Then it loops with FFFFh as the value of CX, just a delay. Then performs these codes:
MOV GS,DX
CLI
CLD
IN AL,64
TEST AL,04
JNZ D840
D840: SMSW AX
TEST AL,01
JZ D84F
CLI
MOV AL,FE
OUT 64,AL

After performing these codes the machine performs a warm boot.

Symptom :
A message can be seen in address = 114C:0239h :

"JABBERW OCKY (.) the first Romanian
Political Virussian
Dhohoho$
Released Date 12-22-1990"

 

 


Jumper

Virus Name: Jumper

Aliases: 2kb

Virus Type: File Infector (.COM and .EXE files, including .COMMAND.COM)

Virus Length: 2,048 bytes

When an infected file is first executed in a clean system, the virus will load itself into memory. Total memory will have decreased by 8,336 bytes. Once the virus is memory resident, it will infect .COM and .EXE files as they are executed. Infected files will have a file length increase of 2,048 bytes. The date and time information on infected files will not change.

The text string "BIOS" is located in infected programs.



Junkie.A-1

Virus Name: Junkie.A-1

Aliases: Junkie

Virus Type: File Infector (.COM and .EXE files)

Virus Length: N/A

Interrupt vectors hooked: INT 1Ch and INT 21h

Infection method: The first time an infected file runs, the virus overwrites the hard disk's master boot record. When the system rebooted (or when it is booted from an infected diskette), the virus loads itself in memory. While loaded, the virus infects any .COM file that executes and any accessed diskettes. The DOS CHKDSK program will show a "total bytes memory" decrease of 3,072 bytes. Infected file length increases by just over 1,000 bytes.

Damage: None known


Joanna

Virus Name: JOANNA

Aliases: None

Virus Type: File Infector

Virus Length: 986 bytes

Executing Procedure:
1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: Virus displays the message "I love you Joanna, Apache...."

Detection Method: Increases infected files size by 986 bytes.

Note: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Jump 4 Joy

Virus Name: JUMP4JOY

Aliases: None

Virus Type: File Infector (.COM files)

Virus Length: 1273 bytes

Executing Procedure:
1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected .COM file that is executed.

Damage: None

Detection Method: Increases infected file size by 1273 bytes.

Note: Loads itself as resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Joshi

Virus Name: Joshi

Aliases: Happy Birthday Joshi

Virus Type: File Infector

Virus Length: N/A

Executing Procedure:
1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h.
2) It then executes the original file.
3) Once it's loaded into resident memory it will infect any uninfected file that is executed.

Damage: Joshi infects every executable file.

Detection Method: The Joshi virus originated in India in June of 1990. It is a very popular virus in India. Joshi remains resident in the boot sector or in the FAT area. Every January 5, the virus displays the message "Type Happy Birthday Joshi." All will return to normal if the user types this message. System memory decreases by 6KB when the virus is resident.

Note: Loads itself resident in memory. An error message appears if an I/O error (such as write protect) occurs.


Joker-3

Virus Name: Joker3

Virus Type: Parasitic Virus (infects .COM files)

Virus Length: 1084 bytes.

PC Vectors Hooked: INT 21h

Executing Procedure:
1) If, after checking, the virus finds that it is not already loaded resident in memory, it loads itself by hooking INT 21h and then executes the host program. 2) If it already resides in memory, it executes the host program directly.

Infecting Procedure: The virus infects files by hooking INT 21h. When INT 21h is executed, all .COM files in the current directory will be infected. When infecting files, the virus does not hook INT 24h so an error message will appear when I/O errors occur.

Damage: None

Detection Method:  Infected file length increases by 1084 bytes.


James

Virus Name: James

Virus Type: File Infector (.COM files)

Virus Length: 356 bytes

Executing Procedure: James checks to see whether it  is resident in memory. If it is not, the virus stays resident in high memory, then hooks INT 21h and goes back to the original routine.

Vectors Hooked: Hooks INT 21H (AH=4Bh) to infect files. First, it hangs INT 24h to prevent divulging its trace when writing, then checks to see whether the program to be executed is an uninfected .COM file. If it is, virus proceeds to infect it. Finally, James restores INT 24h.

Damage: None

Detection Method: Infected file size increases by 356 bytes.


Junkie

Virus Name: Junkie

Virus Type: Memory-Resident Multipartite

Virus Length: 512 bytes

Interrupt Vectors Hooked: INT 21h

Infection Process: Once a virus-infected program is run, the virus installs itself in memory as a terminate-and-stay-resident program.

On the system area of the hard disk, the virus copies two, 512-byte sectors of code into the first track of the hard disk. The virus then
modifies the existing master boot record of the hard disk to read the extra sectors and execute them upon boot-up.

Damage: Junkie adds approximately 1,024 bytes of virus code to the end of the infected file.

Note: The Junkie virus can be detected by VIRUSCAN's /EXT switch with the following string: "26 81 34 ?? 46 46 E2 F7."




July 4

Virus Name: July 4, Stupid 1

Virus Type: File Infector (.COM files)

Virus Length: 743 bytes

Executing Procedure:
1) If the word at address 0000:01FEh is FFFFh, the virus will not infect any file.
2) When it does infect files, it will infect all uninfected .COM files on the current directory. If the number of infections is less than 2, it will go on to infect .COM files on the upper directory until more than 2 files are infected or  until it has reached the root directory. If the current date is July 4 and current time is either 0:00am, 1:00am, 2:00am, 3:00am, 4:00am, or 5:00am, the virus will destroy data on the current diskette.

Detection Method:
1) The date and time of infected files are changed.
2) The byte at 0003h of infected .COM file is 1Ah.
3) Infected .COM files displays one of the following messages:
"Abort, Retry, Ignore, Fail?" , "Fail on INT 24"
(2) - "Impotence error reading users disk"
(0) - "Program too big to fit in memory"
(1) - "Cannot load .COMMAND, system halted"
(3) - "Joker!" and "*.com."


Jeff


Virus Name: Jeff

Virus Type: File Infector (.COM files)

Virus Length: 815-820 bytes

Executing Procedure: Jess searches for an uninfected .COM file on current directory, then infects it. It only infects one file each time.

Damage: None

Notes:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detection Method: Infected file size increases by 815-820 bytes.


June12

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : EXE &COM files

Trigger Condition : June 12

Place of Origin :

Virus Memory Type : MCB Type

Int. Vectors Hooked : Int 21h

Infection Procedure:

The virus is a TSR program. After the virus is executed it immediately loads itself into the memory, where it waits for an EXE and/or COM files to infect except COMMAND.COM. It adds approximately 2660 bytes or more. The infected file, when executed, runs normally. But a special date, June 12 of any year, displays a message and plays a tune (i.e., tune of the Philippine National Anthem). After playing the tune the system resumes normal operation. When infecting on June 12, the same message will be seen and same tune can be heard.

Damage :

When infecting a file and/or executing an infected file this message can be seen:

"June 12 - the Independence Day of the Philippines"

The Philippine flag can be seen here with the official color

"MABUHAY ANG PILIPINAS"
"Dedicated to Manong Eddie"

At the same time the Philippine National Anthem can be heard.

The tune can't be stop even pressing Ctrl+Break or Ctrl+C.

Note :

The virus makes a smart move by hooking Int 1 and 3 to fool the one debugging it.

 


Junkie.A

Virus Type : File Virus

Other Name :

Virus Length :

Virus Infect Type : COM files

including COMMAND.COM

Trigger Condition :

Place of Origin :

Int. Vectors Hooked : Int 21h & 1Ch

Infection Procedure:

First it encrypts the data from address 114C:[2CCF] to 114C:[30B6] by XORing it to D818h, forming a message:

"Dr White - Sweden 1994"
"VS"
"Junkie Virus - Written in Malmo M01D"

Then it hooks interrupt 1Ch and 21h and infects the master boot record, reading one sector in drive C. When the infected file is executed, the virus first infects COMMAN.COM. After rebooting the system, the virus infects COM files. A virus message can be seen at the end of the file. Approximately 1030 bytes are added to infected files.

Diskettes accessed in an infected system will automatically get infected.