Virus Name: Lucky7
V Status: Viron
Discovered: November, 1994
Symptoms: .COM & .EXE files overwritten; file date/time changes;
message displayed; program corruption
Eff Length: 4,496 or 5,488 Bytes Overwriting
Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector
Detection Method: Sweep, NAV, ViruScan, NAVDX, AVTK 7.68+,
Sweep/N, NShld, NAV/N, AVTK/N 7.68+
Removal Instructions: Delete & replace infected programs
The Lucky7 virus was received in November, 1994. Its origin or point
of isolation is unknown. Lucky7 is a non-resident overwriting virus
which infects .COM and .EXE files, including COMMAND.COM.
When a program infected with the Lucky7 virus is executed, this
virus will infect all of the .EXE files located in the current
directory. If all of the .EXE files were previously infected by the
virus, it will then infect all of the .COM files located in the
Infected .EXE files will have the first 4,496 bytes of the host file
overwritten by the Lucky7 viral code. If the program was originally
smaller than 4,496 bytes, it will become 4,496 bytes. Otherwise, no
no file length increase will occur. Infected .COM files will have
the first 5,488 bytes overwritten by the viral code, with files
originally smaller than 5,488 bytes becoming 5,488 bytes in length.
In both cases, the file's date and time in the DOS disk directory
listing will be changed to the current system date and time when
infection occurred. The following text strings can be found within
the viral code in all infected programs:
"Program too big to fit in memory"
"Your clone is infected with "Lucky7""
The first and fourth text strings indicated above may be displayed
by the virus when an infected program is executed. The last text
string is from the compiler used by the author of the virus.