|Place of Origin||Australia|
|Infection Length||232 bytes|
'SySta' is a direct-action infecter of MS-DOS .SYS files. It appeared in the "April Fool's Edition of VLAD magazine in April of 1996.
SySta infects MS-DOS .SYS files (MS-DOS Device Drivers) by appending the virus and pointing the WORD at offset +08h (Interrupt Routine) of the SYS header to the virus code. Victim files are determined to be valid .SYS files by checking if the first WORD of the file (+00h - Offset Address of Next Driver) is 0FFFFh.
SYS files supported multiple drivers in a single file by allowing chained .SYS headers with the address of the next drivers header held in the first 32-bits of the .SYS header. A value of 0FFFFh indicats that .SYS header is the last in the list, and most .SYS files contained only a single driver, hence SyStas check for 0FFFFh at the start of file.
When an infected .SYS file is run SySta sets up a JMP NEAR (0E9h) instruction pointing to the original Interrupt Routine (saved at infection time) and infected all .SYS files in the current directory. This is achieved by saving the address of the original DTA (Disk Transfer Area), setting the DTA to the SyStas heap and entering a ASCII FindFirst/FindNext loop (INT 21h AH=4Eh/4Fh) for "*.sys". SySta identified already infected .SYS files by checking if the original Interrupt Routine is with 1k of the end of the file.
SySta includs the text string:
SySta by Qark/VLAD
There are a couple variants of this virus, weighing in at 231 and 212 bytes. The 212-byte variant does not contain the text string with the virus name and credit.
Original research by JPanic aka @JPanicVX