%%File: VIRS0587.TXT
%%Name/Aliases: Novell, Jerusalem variant
%%Platform: PC/MS-DOS
%%Type: Program., 
%%Disk Location: COM application., EXE application.
%%Features: Memory resident; TSR.
%%Damage: Deletes or moves files.
%%Size: 1806-1816
%%See Also: 
%%Notes: This virus can infect Novell lans and defeat LAN privilages. It 
behaves like the Jerusalem B virus in stand alone mode, loads a TSR and 
hooks init 21. In a networked system it hooks init 21 and 8. Once in 
memory, it infects files when they are run. The virus infects NetWare 
2.15C servers from infected nodes, dos server writing without write 
privileges, server deleting without delete privileges.  Server deletion 
can be done from nodes with just ROS privileges (i.e. neither modify 
flags or write). On Friday the 13th, the program deletes any executed 
program instead of infecting it, even from nodew with no delete 
privilages on the server.
  Files increase by a little over 1800 bytes. Date and time stamps 
change on files on a server, even when the node does not have the modify 
privilage. "sUMsDos" string in executable file.   Standard detectors 
will probably see it, it looks like Jeruseleam-B,  "sUMsDos" string in 
virus.  Standard eradicators that can fix Jeruseleam B, though you 
should replace .exe and .com files.