Virus Name: Cysta
Aliases: Cysta-2711
V Status: Rare
Discovery: June, 1993
Symptoms: .COM & .EXE growth; Hidden Files may become visible in DIR;
decrease in total system & available free memory
Origin: Poland
Eff Length: 2,711 - 2,726 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, IBMAV, Sweep, AVTK, NAVDX, VAlert,
ViruScan, NAV, PCScan, ChAV,
Sweep/N, NShld, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
The Cysta, or Cysta-2711, virus was submitted in June, 1993. Cysta
is a memory resident infector of .COM and .EXE programs, including
COMMAND.COM. It is a fast infector, infecting programs when they
are opened for any reason.
When the first Cysta infected program is executed, the Cysta virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 2,736 bytes. Interrupt 21
will be hooked by the virus in memory. Also at this time, the
virus will infect COMMAND.COM if it was not previously infected by
the virus.
Once the Cysta virus is memory resident, it will infect .COM and
.EXE programs when they are executed or opened for any reason.
Infected programs will have a file length increase of 2,711 to
2,726 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing will
not be altered. The following text strings are visible within the
viral code in all Cysta infected programs:
"(C) 1992 Cysta Inc."
"COMSYSEXEIBMDOSIBMBIOMSDOSIOCONFIGCOUNTRYPSQVW"
"GAME" "ENJO" "DZOJ" "DZOY" "PLAY" "FUCK"
"DUPA" "PORNO" "JOY" "GRY" "RETAL" "GIER"
"HUJ" "MKS" "VIRUS" "WIRUS" "SEX" "SONG"
"GIF" "WOLF3D" "F19 \"
"Enter NEW Password :"
"NEW Password Installed"
"ERROR, Press Any Key...."
"Use Maximum 6 ASCII Characters"
"ESC:Exit"
"Hit <ESC>, If you want to:
It is unknown what Cysta may do besides replicate, though it does
alter the hidden file attribute on some files so that hidden files
become visible with the DOS disk directory listing.
Known variant(s) of Cysta are:
Cysta-2954: A 2,954 byte variant of the Cysta virus described
above, this variant's size in memory is 2,976 bytes,
hooking interrupt 21. Cysta-2954 adds 2,954 to 2,969
bytes to the programs it infects. The following text
string is visible within the viral code:
"COMSYSEXEIBMDOSIBMBIOMSDOSIOCONFIGCOUNTRYPSQVW"
As with the Cysta virus, the hidden attribute may be
reset on files, making the files visible within the
DOS disk directory listing.
Origin: Poland June, 1993.
Cysta-8045: A 8,045 byte variant of the Cysta virus described
above, this variant's size in memory is 8,064 bytes,
hooking interrupt 21. Cysta-8045 adds 8,045 to 8,060
bytes to the programs it infects. The following text
strings are visible within the viral code:
"(C) By Rycho Rak"
"COMSYSEXEIBMDOSIBMBIOMSDOSIOCONFIGCOUNTRYCOMMAND"
"MKS-VIRMKS_VIRMKSVIRMKS-DEMOMKS_DEMOMKSDEMOPSQVW"
As with the Cysta virus, the hidden attribute may be
reset on files, making the files visible within the
DOS disk directory listing.
Origin: Poland June, 1993.
