FANDOM


Virus.DOS.Lokjaw is a dangerous memory resident file companion / infector virus on DOS. Disabling or deleting MSAV and MWAV is the characteristic of this family.

There are 30 variants in 6 versions, represented by the following:

  • Virus.DOS.Lokjaw.482
  • VIrus.DOS.Lokjaw.512
  • Virus.DOS.Lokjaw.804
  • Virus.DOS.Lokjaw.874
  • Virus.DOS.Lokjaw.893
  • Virus.DOS.Lokjaw.1041

There are additional 11 variants which are also belong to this family.

Behavior

Lokjaw.482...808, 890, 893, 894 and 898

When the virus is loaded into memory, it searches for EXE executable files that are run, and then place a DOS executable having the same name of that program, which is the virus itself.

Lokjaw.804 and 808 would set these companion files attribute as hidden system so that the user can find them only on running ATTRIB.

Lokjaw.874 and 877

These variants are more dangerous than the others. They search for every DOS executable and then rename the extension to "CON", after that they place companion files to these filenames, and activate immediately.

The companion files are also set as hidden system files.

Before infection:

PROGRAM.COM

After infection:

PROGRAM.COM (hidden, the virus itself)
PROGRAM.CON (the original program)

Lokjaw.1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058

Instead of placing companion files, these variants infect DOS executables when they are in memory. For Lokjaw.1041, any program that infected by this variant will no longer function properly and result a system hang.

Advanced details

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Lokjaw.482 4,096
Lokjaw.484 4,096
Lokjaw.493 (A and B) 4,096
Lokjaw.495 4,096
Lokjaw.499 4,096
Lokjaw.501 4,096
Lokjaw.507 4,096
Lokjaw.512 1,280
Lokjaw.518 4,096
Lokjaw.520 (plus B) 4,096
Lokjaw.522 4,096
Lokjaw.571 4,096
Lokjaw.804 4,096
Lokjaw.808 4,096
Lokjaw.874 16
Lokjaw.877 16
Lokjaw.890 4,096
Lokjaw.893 4,096
Lokjaw.894 4,096
Lokjaw.898 4,096
Lokjaw.1041 4,096
Lokjaw.1046 4,096
Lokjaw.1047 4,096
Lokjaw.1048 4,096
Lokjaw.1050 4,096
Lokjaw.1052 4,096
Lokjaw.1053 4,096
Lokjaw.1058 4,096

MD5 hash:

Variant Hash
Lokjaw.482 4116f7cbb941715a158778cef9e364bd
Lokjaw.484 d7878470a1a8d593e07405c76203db7f
Lokjaw.493.a 67692d7c2b42b82544a69ec032173867
Lokjaw.493.b 489d418f52c3f8cf12aa9d8e6b7c8af4
Lokjaw.495 77b5cf999e854254efdc4e6a7ac79d32
Lokjaw.499 095a7d3963c13b2d33f01bb67fc25615
Lokjaw.501 e3a7b65ca03a21fcf296f4b397bcdf7e
Lokjaw.507 7765255d9996fe4a2d796e548a7e7a46
Lokjaw.512 fbeb8119129f42ad03c512474ec4be08
Lokjaw.518 1f210c273d7a5567392312bcda6429cb
Lokjaw.520 6cf892517e3cdd3788b6bd4decae0585
Lokjaw.520.b 3196b5e71ed2ae12d9f3bbbcaae2d694
Lokjaw.522 b656d6f7066f4f739398446538c98760
Lokjaw.571 1fb18e85b27a51c0fa6ed766f9c232fd
Lokjaw.804 1bc3b580cefc9661e84022272e6717f5
Lokjaw.808 cf699a326a5e8a1709d630e118650ed1
Lokjaw.874 725573601e31bf7913d7f9156c5a626b
Lokjaw.877 acf1ce44079359e2edc2971246b93ace
Lokjaw.890 2c33420103d6e57d18dd402ddc0a4b42
Lokjaw.893 f623bed4a0ec38a68c30a273a8b83fbf
Lokjaw.894 dc20d0c91fbefc3660893358a59a3ad1
Lokjaw.898 ecf8129d97166eabafd8ebd1798e1d03
Lokjaw.1041 43e9783c090cee9025f8fcb45b951609
Lokjaw.1046 348df3fd35c41957a383119c9d50b444
Lokjaw.1047 c22ebd680c7eeeed818123e7fc8cde08
Lokjaw.1048 e786d5ede4716eb16309950fe699367d
Lokjaw.1050 d1048f82e8a512e1598789aedfee897e
Lokjaw.1052 156f9891111f44e6667a987e0396788c
Lokjaw.1053 f7beec85ff9fbeeaa21d38c6974a48b3
Lokjaw.1058 7028fbd0d32c9d541dedc2d4bfcab850

Payload

The virus activates when the user attempts to run MSAV or MWAV, except Lokjaw.874 and 877.

Lokjaw.482...507, 518...571

These variants hang or even crash the system on activation.

Lokjaw.512

In addition of hanging the system, this variant also destroys file allocation table.

Lokjaw.804, 808, 890, 894, 1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058

These variants turn the screen black with two lines, which looks like to turn off an old TV, deletes that program and hang the system.

Lokjaw.874 and 877

These variants delete the files in absolute path, followed by hanging the system:

C:\DOS\MSAV.EXE
C:\DOS\MWAV.EXE
C:\DOS\VSAFE.COM (failed)

The VSAFE.COM was not deleted in actual due to the fault in execution sequence, the file deletion is executed after renaming the files to CON extension and before dropping companion files, resulting a "File not found" during this operation.

They also corrupt CMOS memory, resulting all settings to loss.

The system might fail to recognize COMMAND.COM after the second reset as it has been replaced by the virus, and the original program has been renamed to "COMMAND.CON".

Lokjaw.893 and 898

These variants turn the screen black with two lines and hang the system without deleting the program.

Variants

This family has 41 variants in total:

  • Virus.DOS.Lokjaw.482
  • Virus.DOS.Lokjaw.484
  • Virus.DOS.Lokjaw.493 (A and B)
  • Virus.DOS.Lokjaw.495
  • Virus.DOS.Lokjaw.499
  • Virus.DOS.Lokjaw.501
  • Virus.DOS.Lokjaw.507
  • VIrus.DOS.Lokjaw.512
  • Virus.DOS.Lokjaw.518
  • Virus.DOS.Lokjaw.520 (plus B)
  • Virus.DOS.Lokjaw.522
  • Virus.DOS.Lokjaw.571
  • Virus.DOS.Lokjaw.804
  • Virus.DOS.Lokjaw.808
  • Virus.DOS.Lokjaw.874
  • Virus.DOS.Lokjaw.877
  • Virus.DOS.Lokjaw.890
  • Virus.DOS.Lokjaw.893
  • Virus.DOS.Lokjaw.894
  • Virus.DOS.Lokjaw.898
  • Virus.DOS.Lokjaw.1041
  • Virus.DOS.Lokjaw.1046
  • Virus.DOS.Lokjaw.1047
  • Virus.DOS.Lokjaw.1048
  • Virus.DOS.Lokjaw.1050
  • Virus.DOS.Lokjaw.1052
  • Virus.DOS.Lokjaw.1053
  • Virus.DOS.Lokjaw.1058
  • Virus.DOS.Lokjaw.Firefly (5 variants)
  • Virus.DOS.Lokjaw.Kenson (2 variants)
  • Virus.DOS.Lokjaw.Pfeiffer.1203
  • Virus.DOS.Lokjaw.Scramble (3 variants)

Other details

When there is a variant of this virus in memory, on running another variant the new one unloads the previous one and then installs itself into memory.

Lokjaw.482...522 contain the internal text strings:

EXE
COM

Lokjaw.493.a also contains the internal text string:

loulou

Lokjaw.493.b also contains the internal text string:

Arclight

Lokjaw.495 also contains the internal text string:

JKLS CAT

Lokjaw.499 also contains the internal text string:

Good Night

Lokjaw.501 also contains the internal text strings:

SLEEPWALKER
MSDOS6

There exists another 501-byte variant having different internal text strings:

PET CEMETERY
MSDOS6

But this one fails to execute due to the character "Y".

Lokjaw.507 also contains the internal text strings:

Starry Night
Bornio Baby

Lokjaw.512 also contains the internal text string:

[TAIPEI]11-30-1998/BlackJack-XEXE

Lokjaw.518, 520, 520.b and 522 also contain the internal text strings:

Black Knight
Tempest - _ Of Luxenburg

Lokjaw.571 contains the internal text strings:

[ Its the KenSON III virus ]
For My Very Best Friend
By Lobo 435 of Covina CA...

Lokjaw.804, 808, 890 and 894 contain the internal text strings:

EXE
COM
Lokjaw-Zwei

Lokjaw.874 and 877 contain the internal text strings:

The Chomper virus by AITH viral Dept.
*.COM
Lokjaw-Routine
C:\dos\mwav.exe
C:\dos\msav.exe
C:\dos\vsafe.com

Lokjaw.893 and 898 contain the internal text strings:

EXE
COM
Lokjaw-Drei

Lokjaw.1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058 contain the internal text string:

CDMZ

Lokjaw.1047 and 1052 also contain the internal text string:

KenSON IV Infection Module  VIRUS
Proto-T Variant  94/Lobo/435
Thanks To Brian! - BF

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.