Westwood (computer virus)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Westwood
Common name Westwood
Technical name Jerusalem.Westwood
Aliases Jeru.Westwood.1829
Jerusalem-Westwood
Family Jerusalem
Classification Virus
Type DOS
Subtype DOS file infector
Isolation August 1990
Point of isolation Westwood, Los Angeles, California, United States
Point of Origin Unknown
Author(s) Unknown

Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, Los Angeles, California. The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run.

Infection[edit]

Westwood was an early variant of the Jerusalem virus, which was the first DOS file infector to become common. Upon execution of an infected file, Westwood becomes memory resident. Any file of COM, EXE, or OVL types is infected upon execution, except COMMAND.COM.

Symptoms[edit]

A number of symptoms are associated with Westwood:

  • COM files executed will increase by 1,829 bytes in size; EXE and OVL files will increase by between 1,819 and 1,829 bytes.
  • Interrupts 8 and 21 will be hooked; on Friday the 13th, interrupt 22 will also be hooked.
  • Thirty minutes after the virus goes memory resident, the system will slow down, and a small black box will appear in the bottom left-hand corner of the machine, as common among most Jerusalem variants.

These symptoms are not indicative of a Westwood infection, although the final symptom is certainly not regular program behaviour, and any automatic file size increase of executables is suspicious. The infection mechanism in Westwood is better-written than the original Jerusalem's. The original would re-infect files until they grew to ridiculous sizes. Westwood infects only once.

As with most Jerusalem variants, Westwood contains a destructive payload. On every Friday the 13th, interrupt 22 will be hooked. All programs executed on this date while the virus is memory resident will be deleted.

Westwood is functionally similar to Jerusalem, but the coding is quite different in many areas. Because of this, virus removal signatures used to detect the original Jerusalem had to be modified to detect Westwood. Organisations such as Virus Bulletin [1] used to use Westwood to test virus scanners for ability to distinguish Jerusalem variants.

Prevalence[edit]

The WildList [2], an organization tracking computer viruses, never reported Westwood as being in the field. However, its isolation was made after the virus had made infections in the community of Westwood. It is unknown how much Westwood spread outside California (with a few reports in neighbouring states), especially as Westwood is easily mis-diagnosed as Jerusalem.

Since the advent of Windows, even successful Jerusalem variants have become increasingly uncommon. As such, Westwood is considered obsolete.

External links[edit]