Cysta Virus
Virus Name: Cysta
Aliases: Cysta-2711
V Status: Rare
Discovery: June, 1993
Symptoms: .COM & .EXE growth; Hidden Files may become visible in DIR;
decrease in total system & available free memory
Origin: Poland
Eff Length: 2,711 - 2,726 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, IBMAV, Sweep, AVTK, NAVDX, VAlert,
ViruScan, NAV, PCScan, ChAV,
Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The Cysta, or Cysta-2711, virus was submitted in June, 1993. Cysta
is a memory resident infector of .COM and .EXE programs, including
COMMAND.COM. It is a fast infector, infecting programs when they
are opened for any reason.
When the first Cysta infected program is executed, the Cysta virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 2,736 bytes. Interrupt 21
will be hooked by the virus in memory. Also at this time, the
virus will infect COMMAND.COM if it was not previously infected by
the virus.
Once the Cysta virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected programs will have a file length increase of 2,711 to
2,726 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing will
not be altered. The following text strings are visible within the
viral code in all Cysta infected programs:
"(C) 1992 Cysta Inc."
"COMSYSEXEIBMDOSIBMBIOMSDOSIOCONFIGCOUNTRYPSQVW"
"GAME" "ENJO" "DZOJ" "DZOY" "PLAY" "FUCK"
"DUPA" "PORNO" "JOY" "GRY" "RETAL" "GIER"
"HUJ" "MKS" "VIRUS" "WIRUS" "SEX" "SONG"
"GIF" "WOLF3D" "F19 \"
"Enter NEW Password :"
"NEW Password Installed"
"ERROR, Press Any Key...."
"Use Maximum 6 ASCII Characters"
"ESC:Exit"
"Hit