Seventh Son Virus


 Virus Name:  Seventh Son 
 Aliases:     7th Son, Seventh Son-284, Seventh Son-350 
 V Status:    Rare 
 Discovered:  October, 1991 
 Isolated:    The Netherlands 
 Symptoms:    .COM file growth 
 Origin:      Eastern Europe 
 Eff Length:  284 or 350 Bytes, depending on variant 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, Sweep, F-Prot, IBMAV, ChAV, 
                    AVTK, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, 
                    LProt, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Seventh Son virus is actually two viruses which are similar in 
       behavior which were isolated in the Netherlands in October, 1991. 
       They are believed to have actually originated in Eastern Europe. 
       The Seventh Son viruses are direct action infectors of .COM 
       programs, including COMMAND.COM. 
 
       When a program infected with a Seventh Son virus is executed, the 
       Seventh Son virus will search the current drive and directory for 
       uninfected .COM files to infect.  Each uninfected .COM file 
       encountered will be infected with the virus.  Infected .COM 
       programs will increase in size by either 284 or 350 bytes, depending 
       on which of the Seventh Son viruses has infected the system. 
       There will be no change in the file's date and time in the DOS 
       disk directory.  The following text strings can be found within 
       infected programs: 
 
               "Seventh son of a seventh son" 
               "*.COM" 
 
       Seventh Son does not appear to do anything besides replicate. 
 
       Known variant(s) of Seventh Son are:     
       Seventh Son-284: Seventh Son-284 is a 284 byte version of this 
                        virus. 
       Seventh Son-332: Seventh Son-332 is a 332 byte virus based on 
                        the Seventh Son virus.  It infects all .COM programs 
                        in the current directory when an infected program is 
                        executed.  Infected programs will have a file length 
                        increase of 332 bytes with the virus being located 
                        at the end of the file.  The program's date and time 
                        in the DOS disk directory listing will not be 
                        altered.  The text strings found in the original 
                        Seventh Son viruses are also found in this variant. 
                        Origin:  The Netherlands  December, 1992. 
       Seventh Son.334: Seventh Son.334 is a 334 byte virus based on 
                        the Seventh Son virus.  It infects all .COM programs 
                        in the current directory when an infected program is 
                        executed.  Infected programs will have a file length 
                        increase of 334 bytes with the virus being located 
                        at the end of the file.  The program's date and time 
                        in the DOS disk directory listing will not be 
                        altered.  The following text strings are visible 
                        within the viral code in all infected files: 
                        "Seventh son of a seventh son" 
                        "*.COM" 
                        Origin:  Unknown  June, 1996. 
       Seventh Son-350: Seventh Son-350 is a 350 byte version of this 
                        virus. 
       Seventh Son.426: Seventh Son.426 is a 426 byte virus based on 
                        the Seventh Son virus.  It infects all .COM programs 
                        in the current directory when an infected program is 
                        executed.  Infected programs will have a file length 
                        increase of 426 bytes with the virus being located 
                        at the end of the file.  The program's date and time 
                        in the DOS disk directory listing will not be 
                        altered.  The following text strings are visible 
                        within the viral code in all infected files: 
                        "ARBEIT MACHT FREI!" 
                        "The Unforgiven / Immortal Riot  Sweden 01/10/93" 
                        "*.COM" 
                        Origin:  Sweden  April, 1994. 
       Seventh Son.440: Seventh Son.440 is a 449 byte virus based on 
                        the Seventh Son virus.  It infects all .COM programs 
                        in the current directory when an infected program is 
                        executed.  Infected programs will have a file length 
                        increase of 440 bytes with the virus being located 
                        at the end of the file.  The program's date and time 
                        in the DOS disk directory listing will not be 
                        altered.  The following text strings are visible 
                        within the viral code in all infected files: 
                        "SiGVE v1.0 TP4 Compilation!" 
                        "c:\" 
                        "*.COM" 
                        "command.com" 
                        Origin:  Unknown  January, 1996. 
       Seventh Son-473: Seventh Son-473 is a 473 byte virus based on 
                        the Seventh Son virus.  It infects all .COM programs 
                        in the current directory when an infected program is 
                        executed.  Infected programs will have a file length 
                        increase of 473 bytes with the virus being located 
                        at the end of the file.  The program's date and time 
                        in the DOS disk directory listing will not be 
                        altered.  The following text strings are visible 
                        within the viral code in all infected files: 
                        "Fight Fire With Fire..." 
                        "*.COM" 
                        "Soon to fill our lungs the hot winds of death" 
                        "The gods are laughing, so take your last breath" 
                        "Immortal Riot..Death Greets me warm.." 
                        Origin:  Unknown  August, 1993. 
       Seventh Son.473.B: Functionally equivalent to the Seventh Son-473 
                        variant, this variant has three bytes which differ. 
                        Origin:  Unknown  July, 1994. 
       Seventh Son-Kernel: Seventh Son-Kernel, or Kernel, is a 610 
                        byte virus based on the Seventh Son virus.  This 
                        virus becomes memory resident at the top of system 
                        memory but below the 640K DOS boundary when the 
                        first infected program is executed, decreasing 
                        total system and available free memory by 8,448 
                        bytes.  It hooks interrupt 21.  Once resident, it 
                        will infect .COM programs when they are executed. 
                        Infected programs will have a file length 
                        increase of 610 to 624 bytes with the virus 
                        being located at the end of the file.  There will 
                        be no change to the file's date and time in the 
                        DOS disk directory listing.  One text string can 
                        be found within the viral code in all infected 
                        files: 
                        "KERNEL" 
                        Origin:  Unknown  July, 1992.

Show viruses from discovered during that infect .

Main Page