Loki Virus
Virus Name: Loki
Aliases: Loki-1237, Merde-5
V Status: Rare
Discovered: October, 1992
Symptoms: .COM & .EXE growth; system hangs; decrease in total system &
available free memory
Origin: Unknown
Eff Length: 1,237 - 1,252 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, Sweep, NAV, ViruScan, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
Sweep/N, NProt, AVTK/N, LProt, NAV/N, NShld,
IBMAV/N, Innoc
Removal Instructions: Delete infected files
General Comments:
The Loki, Loki-1237 or Merde-5, virus was received in October, 1992.
Its origin or point of isolation are unknown. Loki is a memory
resident infector of .COM and .EXE programs, including COMMAND.COM.
The first time a program infected with Loki is executed, the Loki
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupts 21 and 71.
Total system and available free memory will have decreased by
approximately 4,336 bytes. It will also infect the copy of
COMMAND.COM pointed to by the COMSPEC environmental variable at this
time if it was not previously infected.
Once the Loki virus is memory resident, it will infect .COM and
.EXE programs when they are executed. Infected .COM programs will
have a file length increase of 1,237 bytes, while .EXE programs will
increase in size by 1,237 to 1,252 bytes. In both cases the virus
will be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered. The
following text string can be found near the end of all infected
files:
"Loki"
Systems infected with Loki will experience frequent system hangs
when programs are executed.
Known variant(s) of Loki are:
Loki-354: Loki-354 or Merde-6, is a non-resident, direct action
infector of .COM programs, including COMMAND.COM. Unlike
the Loki virus described above, this virus infects one
.COM file each time an infected program is executed.
Infected files will have a file length increase of 354
bytes with the virus being located at the end of the file.
No text strings are visible within the viral code.
Origin: Unknown October, 1992.
Loki-973: Loki-973 is a memory resident infector of .COM programs
which is based on the Loki virus described above. It
becomes memory resident at the top of system memory but
below the 640K DOS boundary when the first infected program
is executed, hooking interrupts 21 and 71. Once resident,
Loki-973 infects .COM programs when they are executed.
Infected programs will have a file length increase of 973
bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory
listing will not be altered. The following text string
is visible within the viral code in all Loki-973 infected
programs:
"Scan me, I LIKE IT!!!!-Loki-nator!"
System hangs frequently occur when .COM programs are
executed.
Origin: Unknown August, 1993.
Loki-1234: Loki-1234 is a memory resident infector of .COM and
.EXE programs which is based on the Loki virus described
above. It becomes memory resident at the top of system
memory but below the 640K DOS boundary when the first
infected program is executed, hooking interrupt 21. Once
resident, Loki-1234 infects .COM and .EXE programs when
they are executed. Infected .COM programs will have a file
length increase of 1,234 bytes. .EXE programs increase in
size by 1,234 to 1,248 bytes. In both cases the virus will
be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are visible within the viral
code in all Loki-1234 infected programs:
"LOKI"
"Loki"
System hangs frequently occur when .COM and .EXE programs
are executed.
Origin: Unknown August, 1993.