Siskin Virus


 Virus Name:  Siskin 
 Aliases:     Sistkin-948 
 V Status:    Rare 
 Discovered:  July, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system and available 
              free memory; system hangs; file corruption 
 Origin:      USSR 
 Eff Length:  948 - 956 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, ViruScan, F-Prot, IBMAV, AVTK, PCScan, 
                    NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Siskin, or Siskin-948, virus was received in July, 1992 along 
       with two variants of the virus.  These viruses are from the USSR. 
       Siskin is a memory resident infector of .COM and .EXE programs, 
       including COMMAND.COM.  On XT class machines, the viruses in this 
       family will destroy or corrupt the files they infect. 
 
       The first time a program infected with the Siskin virus is executed, 
       the Siskin virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  It does not move 
       interrupt 12's return.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will have decreased by 960 
       bytes.  Interrupts 1C and 21 will be hooked by Siskin in memory. 
 
       Once the Siskin virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed. 
       Infected programs will usually have a file length increase of 948 
       bytes, though occassionally a program will increase in size by up 
       to 956 bytes.  The virus will be located at the end of the infected 
       file.  The program's date and time in the DOS disk directory listing 
       will not be altered. 
 
       Frequent system hangs may be experienced on infected systems, 
       especially once the boot copy of COMMAND.COM becomes infected. 
 
       Known variant(s) of Siskin are: 
       Siskin.511: Received in January, 1996, Siskin.511 is a 511 byte 
           variant of the Siskin virus described above.  Its size in memory 
           is 1,280 bytes, hooking interrupt 21.  Once memory resident, it 
           will infect .COM and .EXE files when they are executed.  Programs 
           infected with this variant will have a file length increase of 
           511 bytes, with the virus being located at the end of file.  The 
           program's date and time in the DOS disk directory listing will 
           not altered.  The following text string is visible within the 
           viral code: 
           "(c) by BrPI Version 2.0 '92" 
           This variant will interfer with the execution of some programs, 
           resulting in unpredicted results occurring. 
           Origin:  Unknown  January, 1996. 
       Siskin.555: Received in January, 1996, Siskin.555 is a 555 byte 
           variant of the Siskin virus described above.  Its size in memory 
           is 4,096 bytes, hooking interrupt 21.  Once memory resident, it 
           will infect .COM and .EXE files when they are executed.  Programs 
           infected with this variant will have a file length increase of 
           555 bytes, with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not altered.  The following text string is visible within 
           the viral code: 
           "by BrPI '92" 
           System hangs may occur when programs are executed with text on 
           the monitor partially scrolling halfway up the screen. 
           Origin:  Unknown  January, 1996. 
       Siskin.763: Received in July, 1995, Siskin.763 is a 763 byte 
           variant of the Siskin virus described above.  Its size in memory 
           is 1,024 bytes, hooking interrupt 21.  Once memory resident, it 
           will infect .COM and .EXE files when they are executed.  Programs 
           infected with this variant will usually have a file length 
           increase of 763 bytes, though occassionally it will be 771 bytes. 
           The file length increase will be hidden when the virus is memory 
           resident.  The file's date and time in the DOS disk directory 
           listing will not appear to be altered, though the seconds field 
           will have been set to "62".  No text strings are visible within 
           the viral code.  The DOS CHKDSK program will indicate file 
           allocation errors on all infected files when the virus is memory 
           resident. 
           Origin:  Unknown  July, 1995. 
       Siskin-1017: An earlier version of the Siskin virus described 
                    above, this variant's size in memory is 1,024 bytes. 
                    It adds 1,017 to 1,025 bytes to the .COM and .EXE 
                    programs it infects.  Infected programs will have 
                    their file date and time updated to the current system 
                    date and time when infection occurred. 
                    Origin:  USSR  July, 1992. 
       Siskin-Goodbye: Another member of this group of viruses, Siskin- 
                    Goodbye's size in memory is 848 bytes.  It adds 839 to 
                    847 bytes to the .COM and .EXE programs it infects. 
                    It also updates the system date and time when programs 
                    are infected. 
                    Origin:  USSR  July, 1992.

Show viruses from discovered during that infect .

Main Page