Sistor Virus
Virus Name: Sistor
Aliases: Sistor-2225, Plaice
V Status: Rare
Discovered: January, 1992
Symptoms: .COM & .EXE growth; decrease in total system and available
free memory; system hangs; bouncing small diamond
Origin: Sweden
Eff Length: 2,225 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: Sweep, F-Prot, ViruScan, AVTK, IBMAV, PCScan,
NAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N,
NAV/N
Removal Instructions: Delete infected files
General Comments:
The Sistor, or Sistor-2225, virus was received in January, 1992
from an unknown location. It is believed to have originated in
Sweden. This virus is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM.
The first time a program infected with the Sistor virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Interrupt 12's return
will be moved. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 4,096 bytes.
Interrupts 1C and 21 will be hooked by the Sistor virus in memory.
At the time of becoming memory resident, the Sistor virus will
check to see if the copy of COMMAND.COM the system was boot from
is infected. If it is not infected, the Sistor virus will infect
it.
Once the Sistor virus is memory resident, it will infect .COM and
.EXE programs when they are executed. Infected programs will have
a file length increase of 2,225 bytes with the virus being located
at the end of the infected file. There will be no change to the
file's date and time in the DOS disk directory listing. The
following text string can be found near the end of all infected
programs:
"Sistor"
Systems infected with the Sistor virus may experience system hangs
when the user attempts to execute some programs or .BAT files.
When these hangs occur, the current drive will be left spinning.
The system user may also notice a "bouncing ball" on the system
display, though it appears to actually be a very small diamond
character.
Known variant(s) of Sistor are:
Sistor-1129: A 1,129 byte variant of the Sistor virus, this
variant is an earlier version of the Sistor-J4J virus
listed below. It infects .COM programs when they are
executed. Infected programs will have a file length
increase of 1,129 bytes with the virus located at
the end of the infected file. The program's date and
time in the DOS disk directory listing will not be
altered, and the file length increase is not hidden.
The viral code contains one text string which is the
infection marker located at the very end of infected
programs:
"J4J"
Origin: Sweden May, 1992.
Sistor-2380: A 2,380 byte variant of the Sistor virus, this
variant is functionally similar, with the exception
of file length increase, and that system hangs do not
typically occur.
Sistor-2630: A 2,630 byte variant of the Sistor virus, this
variant is functionally similar, with the exception
of file length increase, and that system hangs do not
typically occur. Infected programs increase in size
by 2,630 bytes with the first infection. Sistor-2630
cannot distinguish when a program is previously
infected, so it will reinfect programs, adding an
additional 2,630 bytes with each reinfection. There
are no text strings visible within the viral code.
Origin: Unknown October, 1992.
Sistor-J4J: A 1,273 byte variant of the Sistor virus, this
variant infects .COM files when they are opened or
executed. Infected files increase in size by 1,273
bytes, though the file length increase will be hidden
if Sistor-J4J is memory resident. The virus is located
at the end of infected programs. The file's date and
time in the DOS disk directory listing will not be
altered. Systems infected with Sistor-J4J will notice
that the DOS CHKDSK program will return file allocation
errors on infected files when the virus is memory
resident, and that .EXE programs may appear to be
smaller than they actually are when the virus is
resident (they may also be indicated as having file
allocation errors). The following text strings can be
found within the viral code in Sistor-J4J infected
programs:
"Elo‹, Elo‹, lam sabakt ni?"
"Charlie says: Support ()DEMORALIZED YOUTH()"
"J4J"
Origin: Sweden June, 1992.
Sistor-J4J Alpha: Received in September, 1992, Sistor-J4J Alpha
appears to be an earlier version of the Sistor-J4J
virus described above. Its size in memory is 4,096
bytes, hooking interrupt 21. It infects .COM programs
when they are executed or opened, though .COM programs
which were infected on open will usually not function
properly. Programs infected with Sistor-J4J Alpha will
have a file length increase of 833 bytes with the virus
being located at the end of the file. The program's
date and time in the DOS disk directory listing will
have been updated to the current system date and time
when infection occurred. The following text strings
can be found within the viral code in all Sistor-J4J
Alpha infected programs:
"Jump 4 Joy, alpha-release. Not to be distributed!"
"J4J"
Origin: Sweden September, 1992.
See: PCBB