Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Jlok.A

Jlok.A is a virus infecting files on a system and via removable medias. It can contain an attached Microsoft Word document. After its execution, it deletes itself from the executed file and only keeps the original document.
Infects other documents located in user's Desktop and My Documents. It may remove all installed printers from the system and cause shutdown of an infected computer.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Details

Spreads over infected system into:

%SysDir%\ntldrt.exe
%SysDir%\shellbit32.exe

These files are then executed automatically during system start-up from registry at

HKCU\Software\Microsoft\Windows\CurrentVersion\Run shell32 = C:\WINDOWS\System32\ntldrt.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run sysclx = C:\WINNT\System32\ntldrt.exe

It creates a mutex called "mylove" .

It can recursively delete the registry entry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print and its subkey Printers, which will cause deletion of all installed printers. It can also initiate a system shutdown.

Spreading

It reads the location of Desktop and My Documents folder from registry and infects all documents within these folders and their subfolders. The file extension of those documents is changed from .doc to .exe. After eventual execution of an infected document, the virus removes itself from it and restores the original document. Such activity is performed on all removable media drives up to the drive N:

It also monitors all open windows and upon detecting one with the contents of 3.5" floppy drive, it starts the process of infection.

Precaution

While infecting the Microsoft Word documents, the virus turns them into executable files. The icon is identical to the document though. Therefore, if the "hide known file extensions" setting is turned on (it is by default), there is no way for users to tell whether they are dealing a real document or a disguised virus.

To disable the "hide known file extensions" feature, please do the following:

  1. Click on Start menu -> Control panel -> Folder options.
  2. Open the tab View.
  3. Find the setting 'hide known file extensions' and uncheck it.

Detection using a sample is added since version 1.984.