Fandom

Malware Wiki

Lokjaw

1,328pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Lokjaw is a dangerous memory resident file companion / infector virus on DOS. Disabling or deleting MSAV and MWAV is the characteristic of this family.

There are 30 variants in 6 versions, represented by the following:

  • Virus.DOS.Lokjaw.482
  • VIrus.DOS.Lokjaw.512
  • Virus.DOS.Lokjaw.804
  • Virus.DOS.Lokjaw.874
  • Virus.DOS.Lokjaw.893
  • Virus.DOS.Lokjaw.1041

There are additional 11 variants which are also belong to this family.

BehaviorEdit

Lokjaw.482...808, 890, 893, 894 and 898Edit

When the virus is loaded into memory, it searches for EXE executables that are run, and then place a DOS executable having the same name of that program, which is the virus itself.

Lokjaw.804 and 808 would set these companion files attribute as hidden system so that the user can find them only on running ATTRIB.

Lokjaw.874 and 877Edit

These variants are more dangerous than the others. They search for every DOS executable and then rename the extension to "CON", after that they place companion files to these filenames, and activate immediately.

The companion files are also set as hidden system files.

Before infection:

PROGRAM.COM

After infection:

PROGRAM.COM (hidden, the virus itself)
PROGRAM.CON (the original program)

Lokjaw.1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058Edit

Instead of placing companion files, these variants infect DOS executables when they are in memory. For Lokjaw.1041, any program that infected by this variant will no longer function properly and result a system hang.

Memory usageEdit

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Lokjaw.482 4,096
Lokjaw.484 4,096
Lokjaw.493 (A and B) 4,096
Lokjaw.495 4,096
Lokjaw.499 4,096
Lokjaw.501 4,096
Lokjaw.507 4,096
Lokjaw.512 1,280
Lokjaw.518 4,096
Lokjaw.520 (plus B) 4,096
Lokjaw.571 4,096
Lokjaw.804 4,096
Lokjaw.808 4,096
Lokjaw.874 16
Lokjaw.877 16
Lokjaw.890 4,096
Lokjaw.893 4,096
Lokjaw.894 4,096
Lokjaw.898 4,096
Lokjaw.1041 4,096
Lokjaw.1046 4,096
Lokjaw.1047 4,096
Lokjaw.1048 4,096
Lokjaw.1050 4,096
Lokjaw.1052 4,096
Lokjaw.1053 4,096
Lokjaw.1058 4,096

PayloadEdit

The virus activates when the user attempts to run MSAV or MWAV, except Lokjaw.874 and 877.

Lokjaw.482...507, 518...571Edit

These variants hang or even crash the system on activation.

Lokjaw.512Edit

In addition of hanging the system, this variant also destroys file allocation table.

Lokjaw.804, 808, 890, 894, 1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058Edit

These variants turn the screen black with two lines, which looks like to turn off an old TV, deletes that program and hang the system.

Lokjaw.874 and 877Edit

These variants delete the files in absolute path, followed by hanging the system:

C:\DOS\MSAV.EXE
C:\DOS\MWAV.EXE
C:\DOS\VSAFE.COM (failed)

The VSAFE.COM was not deleted in actual due to the fault in execution sequence, the file deletion is executed after renaming the files to CON extension and before dropping companion files, resulting a "File not found" during this operation.

They also corrupt CMOS memory, resulting all settings to loss.

The system might fail to recognize COMMAND.COM after the second reset as it has been replaced by the virus, and the original program has been renamed to "COMMAND.CON".

Lokjaw.893 and 898Edit

These variants turn the screen black with two lines and hang the system without deleting the program.

VariantsEdit

This family has 41 variants in total:

  • Virus.DOS.Lokjaw.482
  • Virus.DOS.Lokjaw.484
  • Virus.DOS.Lokjaw.493 (A and B)
  • Virus.DOS.Lokjaw.495
  • Virus.DOS.Lokjaw.499
  • Virus.DOS.Lokjaw.501
  • Virus.DOS.Lokjaw.507
  • VIrus.DOS.Lokjaw.512
  • Virus.DOS.Lokjaw.518
  • Virus.DOS.Lokjaw.520 (plus B)
  • Virus.DOS.Lokjaw.522
  • Virus.DOS.Lokjaw.571
  • Virus.DOS.Lokjaw.804
  • Virus.DOS.Lokjaw.808
  • Virus.DOS.Lokjaw.874
  • Virus.DOS.Lokjaw.877
  • Virus.DOS.Lokjaw.890
  • Virus.DOS.Lokjaw.893
  • Virus.DOS.Lokjaw.894
  • Virus.DOS.Lokjaw.898
  • Virus.DOS.Lokjaw.1041
  • Virus.DOS.Lokjaw.1046
  • Virus.DOS.Lokjaw.1047
  • Virus.DOS.Lokjaw.1048
  • Virus.DOS.Lokjaw.1050
  • Virus.DOS.Lokjaw.1052
  • Virus.DOS.Lokjaw.1053
  • Virus.DOS.Lokjaw.1058
  • Virus.DOS.Lokjaw.Firefly (5 variants)
  • Virus.DOS.Lokjaw.Kenson (2 variants)
  • Virus.DOS.Lokjaw.Pfeiffer.1203
  • Virus.DOS.Lokjaw.Scramble (3 variants)

Other detailsEdit

When there is a variant of this virus in memory, on running another variant the new one unloads the previous one and then installs itself into memory.

Lokjaw.482...522 contain the internal text strings:

EXE
COM

Lokjaw.493.a also contains the internal text string:

loulou

Lokjaw.493.b also contains the internal text string:

Arclight

Lokjaw.495 also contains the internal text string:

JKLS CAT

Lokjaw.499 also contains the internal text string:

Good Night

Lokjaw.501 also contains the internal text strings:

SLEEPWALKER
MSDOS6

There exists another 501-byte variant having different internal text strings:

PET CEMETERY
MSDOS6

But this one fails to execute due to the character "Y".

Lokjaw.507 also contains the internal text strings:

Starry Night
Bornio Baby

Lokjaw.512 also contains the internal text string:

[TAIPEI]11-30-1998/BlackJack-XEXE

Lokjaw.518, 520, 520.b and 522 also contain the internal text strings:

Black Knight
Tempest - _ Of Luxenburg

Lokjaw.571 contains the internal text strings:

[ Its the KenSON III virus ]
For My Very Best Friend
By Lobo 435 of Covina CA...

Lokjaw.804, 808, 890 and 894 contain the internal text strings:

EXE
COM
Lokjaw-Zwei

Lokjaw.874 and 877 contain the internal text strings:

The Chomper virus by AITH viral Dept.
*.COM
Lokjaw-Routine
C:\dos\mwav.exe
C:\dos\msav.exe
C:\dos\vsafe.com

Lokjaw.893 and 898 contain the internal text strings:

EXE
COM
Lokjaw-Drei

Lokjaw.1041, 1046, 1047, 1048, 1050, 1052, 1053 and 1058 contain the internal text string:

CDMZ

Lokjaw.1047 and 1052 also contain the internal text string:

KenSON IV Infection Module  VIRUS
Proto-T Variant  94/Lobo/435
Thanks To Brian! - BF

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.