Sister is a memory-resident encrypted infecter of MS-DOS .EXE files. It appeared in Issue 1 of VLAD in July 1994. It is a member of Qark's Incest family, and has similarities to other members, including Daddy, Mummy and Brother.

Behavior

Sister uses the same memory allocation method of modifying the MCB's as 'Daddy'. Like Daddy, Sister checks files by extension but only seems to handle upper-case extensions. Also like Mummy and Daddy, Sister plays the same CPU prefetch trick. Once resident, Sister infects files on Execute, Open, Chmod and Rename calls. Files are marked as infected by placing a 'magic' value in the MZ header. Sister includes the text strings:

[Incest Sister]
by VLAD - Brisbane, OZ

Sources

Original research by JPanic, aka @JPanicVX