Sistor Virus


 Virus Name:  Sistor 
 Aliases:     Sistor-2225, Plaice 
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system and available 
              free memory; system hangs; bouncing small diamond 
 Origin:      Sweden 
 Eff Length:  2,225 Bytes 
 Type Code:   PRtAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, F-Prot, ViruScan, AVTK, IBMAV, PCScan, 
                    NAV, NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Sistor, or Sistor-2225, virus was received in January, 1992 
       from an unknown location.  It is believed to have originated in 
       Sweden.  This virus is a memory resident infector of .COM and .EXE 
       programs, including COMMAND.COM. 
 
       The first time a program infected with the Sistor virus is executed, 
       this virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Interrupt 12's return 
       will be moved.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will have decreased by 4,096 bytes. 
       Interrupts 1C and 21 will be hooked by the Sistor virus in memory. 
       At the time of becoming memory resident, the Sistor virus will 
       check to see if the copy of COMMAND.COM the system was boot from 
       is infected.  If it is not infected, the Sistor virus will infect 
       it. 
 
       Once the Sistor virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  Infected programs will have 
       a file length increase of 2,225 bytes with the virus being located 
       at the end of the infected file.  There will be no change to the 
       file's date and time in the DOS disk directory listing.  The 
       following text string can be found near the end of all infected 
       programs: 
 
               "Sistor" 
 
       Systems infected with the Sistor virus may experience system hangs 
       when the user attempts to execute some programs or .BAT files. 
       When these hangs occur, the current drive will be left spinning. 
       The system user may also notice a "bouncing ball" on the system 
       display, though it appears to actually be a very small diamond 
       character. 
 
       Known variant(s) of Sistor are: 
       Sistor-1129: A 1,129 byte variant of the Sistor virus, this 
                    variant is an earlier version of the Sistor-J4J virus 
                    listed below.  It infects .COM programs when they are 
                    executed.  Infected programs will have a file length 
                    increase of 1,129 bytes with the virus located at 
                    the end of the infected file.  The program's date and 
                    time in the DOS disk directory listing will not be 
                    altered, and the file length increase is not hidden. 
                    The viral code contains one text string which is the 
                    infection marker located at the very end of infected 
                    programs: 
                    "J4J" 
                    Origin:  Sweden  May, 1992. 
       Sistor-2380: A 2,380 byte variant of the Sistor virus, this 
                    variant is functionally similar, with the exception 
                    of file length increase, and that system hangs do not 
                    typically occur. 
       Sistor-2630: A 2,630 byte variant of the Sistor virus, this 
                    variant is functionally similar, with the exception 
                    of file length increase, and that system hangs do not 
                    typically occur.  Infected programs increase in size 
                    by 2,630 bytes with the first infection.  Sistor-2630 
                    cannot distinguish when a program is previously 
                    infected, so it will reinfect programs, adding an 
                    additional 2,630 bytes with each reinfection.  There 
                    are no text strings visible within the viral code. 
                    Origin:  Unknown  October, 1992. 
       Sistor-J4J: A 1,273 byte variant of the Sistor virus, this 
                   variant infects .COM files when they are opened or 
                   executed.  Infected files increase in size by 1,273 
                   bytes, though the file length increase will be hidden 
                   if Sistor-J4J is memory resident.  The virus is located 
                   at the end of infected programs.  The file's date and 
                   time in the DOS disk directory listing will not be 
                   altered.  Systems infected with Sistor-J4J will notice 
                   that the DOS CHKDSK program will return file allocation 
                   errors on infected files when the virus is memory 
                   resident, and that .EXE programs may appear to be 
                   smaller than they actually are when the virus is 
                   resident (they may also be indicated as having file 
                   allocation errors).  The following text strings can be 
                   found within the viral code in Sistor-J4J infected 
                   programs: 
                   "Eloč, Eloč, lam† sabakt†ni?" 
                   "Charlie says:  Support ()DEMORALIZED YOUTH()" 
                   "J4J" 
                   Origin:  Sweden  June, 1992. 
       Sistor-J4J Alpha: Received in September, 1992, Sistor-J4J Alpha 
                   appears to be an earlier version of the Sistor-J4J 
                   virus described above.  Its size in memory is 4,096 
                   bytes, hooking interrupt 21.  It infects .COM programs 
                   when they are executed or opened, though .COM programs 
                   which were infected on open will usually not function 
                   properly.  Programs infected with Sistor-J4J Alpha will 
                   have a file length increase of 833 bytes with the virus 
                   being located at the end of the file.  The program's 
                   date and time in the DOS disk directory listing will 
                   have been updated to the current system date and time 
                   when infection occurred.  The following text strings 
                   can be found within the viral code in all Sistor-J4J 
                   Alpha infected programs: 
                   "Jump 4 Joy, alpha-release. Not to be distributed!" 
                   "J4J" 
                   Origin:  Sweden  September, 1992. 
 
       See:   PCBB 

Show viruses from discovered during that infect .

Main Page