Copy Link
Add to Bookmark
Report
CIAC C-02
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Dir II Virus on MS DOS Computers
October 18, 1991, 15:30 PDT Number C-2
Critical Dir II Virus Facts
Name: Dir II virus
Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster
Virus Type: Directory infector with stealth characteristics
Variants: Unsubstantiated reports exist for two variants
Platform: MS-DOS computers
Damage: May destroy all .EXE and .COM files and backup diskettes,
crash some look-alike systems, CHKDSK /F destroys all
executable files
Symptoms: CHKDSK reports many cross-linked files and lost file
chains can corrupt backups, copied files are only 1024
bytes long, more (see below)
First Discovered: May 1991 in Bulgaria
Eradication: Perform a series of simple DOS commands (see below)
The Dir II virus presents a new type of MS-DOS virus called a
directory infector. This virus modifies entries in the directory
structure, causing the computer to jump to the virus code before
execution of a program begins. Also, this virus utilizes stealth
techniques to hide its existence in memory.
How Infection Occurs
Initial hard disk infection occurs when a file with an infected
directory is executed. The virus establishes itself in memory and
puts a copy of itself on the last cluster of the disk. Once the
virus is active in memory, executing any file (infected or not)
will cause the virus to infect the directory entry of ALL .EXE and
.COM files in the current directory and in the directories listed
in the PATH variable. Additional detailed information on the
infection technique is included in the appendix at the end of this
bulletin.
Potential Damage
If there is currently information residing on the last cluster of
the disk, this virus will overwrite it upon installation. Since
most backup utilities fill diskettes to capacity, backups are prone
to immediate corruption upon initial infection.
The most damaging characteristic of this virus occurs if a user
boots from a clean diskette and attempts to run a disk optimizer
program such as CHKDSK /F, Norton Disk Doctor, or other similar
utility programs. When such a program attempts to "fix" the disk,
all infected executables will "become" the virus, effectively
destroying the original file!
Detection
Although current versions of many common anti-viral utilities will
not detect this virus and are unable to remove it, manual detection
can be performed using the following methods:
1. Boot from the suspect infected hard disk. With the suspected
virus active in memory, execute the command CHKDSK with NO
arguments. Then reboot from a clean, write protected diskette
(such as the original DOS diskette), and execute the command
CHKDSK with no arguments again. If many cross-linked files
and lost file chains are reported during the second CHKDSK and
not the first, it is an indication of infection.
2. Boot from the suspected infected hard disk. With the
suspected virus active in memory, use the COPY command to copy
suspect files with the extension .EXE or .COM. Examine the
file length of these copied files by using the DIR command,
then reboot from a clean, write protected diskette and perform
the same copy command(s). If the file length of the second
copy is very small (around 1K) but the file length of the
first copy is much larger, you may be infected with the Dir II
virus.
Eradication
To manually eradicate this virus, follow these steps for every
infected disk and diskette:
1. While Dir II is active in memory, use the COPY command to copy
all .EXE and .COM files to files with a different extension.
Example: COPY filename.com filename.vom
2. Reboot system from a clean, write protected diskette to ensure
the system does not have the virus in memory.
3. Delete all files with extensions of .EXE and .COM. This will
remove all pointers to the virus.
4. Rename all executables to their original names.
Example: RENAME filename.vom filename.com
5. Examine all these executables you have just restored. If any
are 1K in length, they probably are a copy of the virus.
Destroy any executables of this size.
For additional information or assistance, please contact CIAC:
Karyn Pichnarczyk
(510) 422-1779 **or (FTS) 532-1779
karyn@cheetah.llnl.gov
Send e-mail to ciac@llnl.gov or call CIAC at
(510) 422-8193**/(FTS)532-8193.
**Note area code has changed from 415, although the 415 area code
will work until Jan. 1992.
CIAC would like to thank Bill Kenny of DDI for his help with this
bulletin. Neither the United States Government nor the University
of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its
use would not infringe privately owned rights. Reference herein to
any specific commercial products, process, or service by trade
name, trademark manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The
views and opinions of authors expressed herein do not necessarily
state or reflect those of the United States Government nor the
University of California, and shall not be used for advertising or
product endorsement purposes.
Appendix: Detailed DIR II Information
The DOS directory structure contains the following entries:
filename, extension, attribute, time, date, cluster, file size, and
an unused area; the cluster entry is the pointer to where the
actual file exists on the disk. Dir II infects the directory
structure by scrambling the original cluster entry and storing it
in part of the unused area, then placing a pointer to the viral
code in the cluster entry. Thus when a program is executed, the
computer executes the viral code, the virus decrypts the original
cluster entry, then the virus allows the original program to
proceed.
Upon initial infection, the virus links itself into the device
driver chain, copying itself to the last cluster (or last two
clusters, if cluster size is less than 1024 bytes) on the disk and
infects the directory structure of all .EXE and .COM files residing
in the current directory and all directories defined in the path.
The virus infects all files with .EXE or .COM as an extension
whether or not they are executable, EXCEPT if the size of the file
is less than 2K, larger than 256K, or has an attribute of System,
Volume, or Directory set. Therefore it does not infect the two
hidden system files, but it DOES infect command.com.
Following the supplied eradication steps will simply remove all
"live"pointers to the viral code. After eradication you may wish
to use a direct disk access utility (such as Norton Utilities) to
directly access the viral code existing on the last cluster on the
disk and overwrite it with blanks. Another recommended final
clean-up entails running a disk optimizer program that will clean
out all unnecessary deleted files. It is important to remember
that this virus has infected all .COM and .EXE files, even if they
are tagged as deleted. Therefore if an undelete utility is used on
these files, the virus can resurface.
Other Facts About Dir II
- Using CHKDSK to detect this virus from a clean boot will only
work if there is more than one infected executable on a disk.
- Dir II does not infect partitions that are accessed through a
loadable device driver.
- Due to the stealth characteristics of Dir II, while the virus
is memory-resident all file accesses, backups, deletes,
copies, etc are accomplished with no discernable problems.
Also, errors resulting from execution of Dir II (such as an
attempt to infect a write-protected diskette) are suppressed
by the virus.
- The first execution of a file causes the virus to become
memory resident. Before it is resident, if a file is copied
from an infected disk to an uninfected disk all that will copy
will be a 1K length file containing the virus. After
eradication procedures this copied file will still be a copy
of the virus. Such files can be a very good clue to track
where the virus originated.
- If the virus is not active in memory, interaction with
infected files produces unusual results. Copying an infected
file will copy a file only 1K long (the virus itself).
Deleting a file will mark it as deleted, not but does not
affect the virus.
- With the virus active in memory, formatting a disk will
produce the virus in the last cluster.
- Because this virus uses a new type of attack scheme, versions
of most anti-viral utilities prior to October, 1991 utilities
will not detect it, and cannot clean it. Since Dir II
associates itself with the device drivers, programs which
detect unauthorized requests to become memory resident do not
detect this virus.
- This virus is not compatible with all non IBM MS-DOS machine
ROMS and will crash some hard disk systems immediately upon
initial infection.
