Lokjaw Virus


 Virus Name:  Lokjaw 
 Aliases:     Lokjaw-Drei 
 V Status:    Rare 
 Discovered:  March, 1993 
 Symptoms:    .COM files created; decrease in total system & available free 
              memory; noisy disk access & system hang 
 Origin:      Unknown 
 Eff Length:  898  Bytes 
 Type Code:   SRhC - Spawning Resident .EXE Infector 
 Detection Method:  F-Prot, ViruScan, IBMAV, AVTK, Sweep, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete the 898 byte companion files 
 
 General Comments: 
       The Lokjaw, or Lokjaw-Drei, virus was submitted in March, 1993.  Its 
       origin or point of isolation is unknown.  Lokjaw is a memory 
       resident spawning or companion virus which infects .EXE programs by 
       creating 898 byte .COM files.  The Lokjaw virus is based on the 
       Civil War viruses. 
 
       When the first Lokjaw infected program is executed, the Lokjaw 
       virus will become memory resident at the top of system memory but 
       below the 640K DOS boundary, hooking interrupt 21.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 4,096 bytes.  Interrupt 12's return will not be 
       moved. 
 
       Once the Lokjaw virus is memory resident, it will infect .EXE 
       programs when they are executed by creating an 898 byte .COM file 
       with the same base program name.  The actual .EXE program itself 
       will not be altered.  The 898 byte .COM file will have the current 
       system date and time in the DOS directory for the file date and 
       time.  The following text strings are visible within the 898 
       byte companion files containing the Lokjaw viral code: 
 
               "EXE COM (o)" 
               "Lokjaw-Drei" 
 
       Lokjaw will occassionally activate, accessing the hard disk while 
       emiting a scraping noise on the system speaker.  The system will 
       be unresponsive, requiring the user to reboot or reset the system. 
     
       To disinfect a Lokjaw infection, the user should power off the system 
       and boot from a write-protected, uninfected system disk.  The 898 
       byte companion .COM files should then be located and deleted. 
 
       Known variant(s) of Lokjaw are: 
       Lokjaw.518: Received in July, 1995, this is a 518 variant of 
                    the Lokjaw virus described above.  It contains the 
                    following text strings: 
                    "Black Knight" 
                    "EXE COM   " 
                    "Tempest - _Of Luxenburg" 
                    Origin:  Unknown  July, 1995. 
       Lokjaw-Zwei: Received in September, 1993, the Lokjaw-Zwei variant 
                    is 894 byte version of the virus described above.  It 
                    contains the following text strings: 
                    "[lKW-zW]" 
                    "EXE COM (o)" 
                    "Lokjaw-Zwei" 
                    The Lokjaw-Zwei virus will occassionally clear the 
                    screen, or compress the screen to a 2-line face in the 
                    center of the screen, and then access the hard disk. 
                    The system will be hung and have to be reset. 
                    Origin:  Unknown  September, 1993. 
 
       See:   Civil War

Show viruses from discovered during that infect .

Main Page