LockUp is a memory resident spawning or companion virus on DOS which infects .EXE programs, and uses some stealth techniques to avoid detection.


When the LockUp virus is memory resident, it attempts to mask the presence of the hidden .COM files in order to avoid detection by anti-virus programs. The programs may not see the hidden files, so no virus will be found. 


The first time a program infected with the LockUp virus is executed, the virus will will install itself memory resident at the top of system memory but below the 640K DOS boundary. It does not move interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,568 bytes. Interrupt 21 will be hooked by LockUp in memory. 

Once the LockUp virus is memory resident, it will infect .EXE programs when they are opened or executed. Infected .EXE programs are not altered, but rather the virus creates a hidden 496 bytes .COM file in the directory with the same base file name. These hidden files always have the file date and time of 3-24-23 2:17a in the DOS disk directory. After the virus has created the hidden file, any time the user attempts to execute the infected .EXE program, the companion .COM program will be executed by DOS. 

The following text strings can be found in the 496 byte companion .COM files created by the LockUp virus: 

Mithrandir III
Community content is available under CC-BY-SA unless otherwise noted.