Tyst Virus

Virus Name: Tyst Aliases: V Status: Viron Discovered: December, 1992 Symptoms: .COM & .EXE files overwritten; files truncated to 3,424 bytes; program corruption; file date set to 4-04-92; message Origin: Unknown Eff Length: 3,424 Bytes OW Type Code: ONAK - Non-Resident Overwriting .COM & .EXE Infector Detection Method: ViruScan, IBMAV, AVTK, F-Prot, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, IBMAV/N, AVTK/N, NProt, NAV/N, LProt, Innoc Removal Instructions: Delete infected files General Comments: The Tyst virus was submitted in December, 1992. Its origin or point of isolation is unknown. Tyst is a non-resident, direct action overwriting virus which infects .COM, .EXE, and .SYS programs, including COMMAND.COM. When a program infected with the Tyst virus is executed, the Tyst virus will copy the file names of the first 6 programs located in the C:\DOS directory to the current directory. The programs in the current directory will not contain the original program code, but instead of pure copy of the Tyst viral code. Infected programs will have a file length of 3,424 bytes. The infected files will have a file date in the DOS disk directory of 4-04-92. The file time will be set to the system time when infection occurred. A zero byte file, COMSPEC, may also be created in the current directory. The Tyst virus displays the following message whenever an infected program is executed: "Tyst f”r fan.. Jag spr„nger!" Besides the above text, the following text can be found within the viral code in all Tyst infected programs: "C:\DOS\*.*" "COMSPEC" "/C copy" "NUL" "RoTh"