Westwood was an early variant of the Jerusalem virus, which was the first DOS file infector to become common. Upon execution of an infected file, Westwood becomes memory resident. Any file of COM, EXE, or OVL types is infected upon execution, except COMMAND.COM.
A number of symptoms are associated with Westwood:
- COM files executed will increase by 1,829 bytes in size; EXE and OVL files will increase by between 1,819 and 1,829 bytes.
- Interrupts 8 and 21 will be hooked; on Friday the 13th, interrupt 22 will also be hooked.
- Thirty minutes after the virus goes memory resident, the system will slow down, and a small black box will appear in the bottom left-hand corner of the machine, as common among most Jerusalem variants.
These symptoms are not indicative of a Westwood infection, although the final symptom is certainly not regular program behaviour, and any automatic file size increase of executables is suspicious. The infection mechanism in Westwood is better-written than the original Jerusalem's. The original would re-infect files until they grew to ridiculous sizes. Westwood infects only once.
As with most Jerusalem variants, Westwood contains a destructive payload. On every Friday the 13th, interrupt 22 will be hooked. All programs executed on this date while the virus is memory resident will be deleted.
Westwood is functionally similar to Jerusalem, but the coding is quite different in many areas. Because of this, virus removal signatures used to detect the original Jerusalem had to be modified to detect Westwood. Organisations such as Virus Bulletin used to use Westwood to test virus scanners for ability to distinguish Jerusalem variants.