Lucky7 Virus

Virus Name: Lucky7 Aliases: V Status: Viron Discovered: November, 1994 Symptoms: .COM & .EXE files overwritten; file date/time changes; message displayed; program corruption Origin: Unknown Eff Length: 4,496 or 5,488 Bytes Overwriting Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: Sweep, NAV, ViruScan, NAVDX, AVTK 7.68+, Sweep/N, NShld, NAV/N, AVTK/N 7.68+ Removal Instructions: Delete & replace infected programs General Comments: The Lucky7 virus was received in November, 1994. Its origin or point of isolation is unknown. Lucky7 is a non-resident overwriting virus which infects .COM and .EXE files, including COMMAND.COM. When a program infected with the Lucky7 virus is executed, this virus will infect all of the .EXE files located in the current directory. If all of the .EXE files were previously infected by the virus, it will then infect all of the .COM files located in the directory. Infected .EXE files will have the first 4,496 bytes of the host file overwritten by the Lucky7 viral code. If the program was originally smaller than 4,496 bytes, it will become 4,496 bytes. Otherwise, no no file length increase will occur. Infected .COM files will have the first 5,488 bytes overwritten by the viral code, with files originally smaller than 5,488 bytes becoming 5,488 bytes in length. In both cases, the file's date and time in the DOS disk directory listing will be changed to the current system date and time when infection occurred. The following text strings can be found within the viral code in all infected programs: "Program too big to fit in memory" "*.exe" "*.com" "Your clone is infected with "Lucky7"" "Runtime error" The first and fourth text strings indicated above may be displayed by the virus when an infected program is executed. The last text string is from the compiler used by the author of the virus.