Type File virus
Creator Qark
Date Discovered 1994.07
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .exe
Infection Length 791 bytes

Sister is a memory-resident encrypted infecter of MS-DOS .EXE files. It appeared in Issue 1 of VLAD in July 1994. It is a member of Qark's Incest family, and has similarities to other members, including Daddy, Mummy and Brother.


Sister uses the same memory allocation method of modifying the MCB's as 'Daddy'. Like Daddy, Sister checks files by extension but only seems to handle upper-case extensions. Also like Mummy and Daddy, Sister plays the same CPU prefetch trick. Once resident, Sister infects files on Execute, Open, Chmod and Rename calls. Files are marked as infected by placing a 'magic' value in the MZ header. Sister includes the text strings:

[Incest Sister]
by VLAD - Brisbane, OZ


Original research by JPanic, aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License