When an infected file is executed, the virus modifies the partition
table in the master boot sector and creates a new active partition
where the virus resides. This means that you should not use the
FDISK /MBR command to try to disinfect this virus. This also means
that the hard drive partitions are not visible after a clean floppy
When an infected machine is booted, the virus stays memory resident
and infects COM and EXE files when they are accessed. Jackal tunnels
DOS and BIOS interrupts to bypass virus monitors.
Jackal is also able to survive a warm reboot done by pressing
Ctrl-Alt-Del. To boot clean you have to power down.
Jackal contains an activation routine, which overwrites part of
the hard drive. This routine seems to be called by random.
Jackal gets its name from a string inside the virus body.
There are several variants known, 3101, 3118 and 3120 bytes in size.
McAfee Scan has had a false alarm of Jackal on hard drives with the
OnTrack Disk Manager v6.03b software installed.
[Analysis: Mikko Hypponen, F-Secure]