Virus Name: 7THSON-2 Virus Type: File Infector Virus (infects .COM files) Virus Length: 284 or 332 or 350 bytes (COM) PC Vectors Hooked: INT 24h Executing Procedure:
1) The virus searches for a .COM file in the current directory.
2) It checks to see whether the file has been infected by 7thson-2. If the file is infected, it continues to look for uninfected files.
3) It then infects all .COM files in the current directory.
4) Finally, it executes the original file. Damage: None Detection Method: Infected files will increase in size by 284 or 332 or 350 bytes.
Note:
1) Doesn't remain resident in memory.
2) 7thson-2 hooks INT 24h when infecting files. Omits I/O errors (such as write protect).
Virus Name: 7thson Virus Type: Memory Resident, File Infector Virus (Companion). Virus Length: 321 or 307 bytes (EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Procedure:
1) The virus checks to see whether it is already loaded resident in memory. If it's not, it then loads itself into resident memory by hooking INT 21h.
2) Next, it executes the original file.
3) With itself loaded into resident memory it will infect any uninfected file that is executed. It does not infect .COM files. Damage: When you run an .EXE file, the virus will create a new .COM file with the same name as .EXE file with a length equal to 321 or 307 bytes. Detection Method: Check for COM files with length equal to 321 or 307 bytes. Note: The 7thson virus hooks INT 24h and closes the "control_break" command when infecting files. It omits I/O errors (such as write protect).
Virus Name: 744 Virus Type: Parasitic Virus Virus Length: 744 bytes Symptoms: Increases infected file size by 744 bytes. Destroyed programs will cause computer to crash in most cases. Damage: With the probability of 1:7 the virus will not infect other files but will destroy the infected file. The virus writes the instruction JMP [BP+0] at the start of program. The virus contains an error. It should write JMP F000:FFF0 instruction (computer reboot - same as virus 648), which is 4 bytes from the actual written instruction. Length of destroyed program is not changed. This program contains a virus flag. It reads and writes using DOS interrupts. When the virus finds a program which can be infected, it reads and, without any change, writes to sector number 1 (FAT area). This is not done on the disk C:. It is done as a test of whether the disk is write protected or not.