There are 5 variants in 2 versions, represented by the following:
When the virus is loaded into memory, it hooks INT 21h to infect any DOS executable that is run.
The actual infection size of Lokjaw.Firefly.1096 is 1,106 bytes.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
This virus has two payloads which will be activated after loading into memory.
This is the only harmless variant, it switches the status of NumLock, CapsLock and ScrollLock.
Lokjaw.Firefly.1087, 1096, 1097 and 1107
In addition of switching the status of the key input locks, the virus also detects whether a file to be run or opened has the filename:
If yes, it deletes the file and displays the following message:
Bad Command or file name
Which is same as that in Jerusalem.
Any file having this name in any type will be deleted by the virus when it is opened, in attempt to delete anti-virus files.
This family has 5 variants in total:
Every variant contains the internal text string:
[Firefly] By Nikademus Greetings to Urnst Kouch and the CRYPT stuff.
Lokjaw.Firefly.778 contains the internal text strings:
Happiness in Slavery The land of Rape and Honey
Lokjaw.Firefly.1087 contains the internal text strings:
American Jesus Dont pray on me Recipe for hAte Atomic Garden Its Dead Jim
Lokjaw.Firefly.1096, 1097 and 1107 contain the internal text strings:
Psalm 69 Every day is Halloween Happiness in Slavery The land of Rape and Honey Its Dead Jim