_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Dir II Virus on MS DOS Computers October 18, 1991, 15:30 PDT Number C-2 Critical Dir II Virus Facts _________________________________________________________________________ Name: Dir II virus Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster Virus Type: Directory infector with stealth characteristics Variants: Unsubstantiated reports exist for two variants Platform: MS-DOS computers Damage: May destroy all .EXE and .COM files and backup diskettes, crash some lookalike systems, CHKDSK /F destroys all executible files Symptoms: CHKDSK reports many cross-linked files and lost file chains can corrupt backups, copied files are only 1024 bytes long, more (see below) First Discovered: May 1991 in Bulgaria Eradication: Perform a series of simple DOS commands (see below) _________________________________________________________________________ The Dir II virus presents a new type of MS-DOS virus called a directory infector. This virus modifies entries in the directory structure, causing the computer to jump to the virus code before execution of a program begins. Also, this virus utilizes stealth techniques to hide its existence in memory. How Infection Occurs Initial hard disk infection occurs when a file with an infected directory is executed. The virus establishes itself in memory and puts a copy of itself on the last cluster of the disk. Once the virus is active in memory, executing any file (infected or not) will cause the virus to infect the directory entry of ALL .EXE and .COM files in the current directory and in the directories listed in the PATH variable. Additional detailed information on the infection technique is included in the appendix at the end of this bulletin. Potential Damage If there is currently information residing on the last cluster of the disk, this virus will overwrite it upon installation. Since most backup utilities fill diskettes to capacity, backups are prone to immediate corruption upon initial infection. The most damaging characteristic of this virus occurs if a user boots >from a clean diskette and attempts to run a disk optimizer program such as CHKDSK /F, Norton Disk Doctor, or other similar utility programs. When such a program attempts to "fix" the disk, all infected executibles will "become" the virus, effectively destroying the original file! Detection Although current versions of many common anti-viral utilities will not detect this virus and are unable to remove it, manual detection can be performed using the following methods: 1. Boot from the suspect infected hard disk. With the suspected virus active in memory, execute the command CHKDSK with NO arguments. Then reboot from a clean, write protected diskette (such as the original DOS diskette), and execute the command CHKDSK with no arguments again. If many cross-linked files and lost file chains are reported during the second CHKDSK and not the first, it is an indication of infection. 2. Boot from the suspected infected hard disk. With the suspected virus active in memory, use the COPY command to copy suspect files with the extension .EXE or .COM. Examine the file length of these copied files by using the DIR command, then reboot from a clean, write protected diskette and perform the same copy command(s). If the file length of the second copy is very small (around 1K) but the file length of the first copy is much larger, you may be infected with the Dir II virus. Eradication To manually eradicate this virus, follow these steps for every infected disk and diskette: 1. While Dir II is active in memory, use the COPY command to copy all .EXE and .COM files to files with a different extension. Example: COPY filename.com filename.vom 2. Reboot system from a clean, write protected diskette to ensure the system does not have the virus in memory. 3. Delete all files with extensions of .EXE and .COM. This will remove all pointers to the virus. 4. Rename all executibles to their original names. Example: RENAME filename.vom filename.com 5. Examine all these executibles you have just restored. If any are 1K in length, they probably are a copy of the virus. Destroy any executibles of this size. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (510) 422-1779 **or (FTS) 532-1779 karyn@cheetah.llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)532-8193. **Note area code has changed from 415, although the 415 area code will work until Jan. 1992. CIAC would like to thank Bill Kenny of DDI for his help with this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. Appendix: Detailed DIR II Information The DOS directory structure contains the following entries: filename, extension, attribute, time, date, cluster, filesize, and an unused area; the cluster entry is the pointer to where the actual file exists on the disk. Dir II infects the directory structure by scrambling the original cluster entry and storing it in part of the unused area, then placing a pointer to the viral code in the cluster entry. Thus when a program is executed, the computer executes the viral code, the virus decrypts the original cluster entry, then the virus allows the original program to proceed. Upon initial infection, the virus links itself into the device driver chain, copying itself to the last cluster (or last two clusters, if cluster size is less than 1024 bytes) on the disk and infects the directory structure of all .EXE and .COM files residing in the current directory and all directories defined in the path. The virus infects all files with .EXE or .COM as an extension whether or not they are executible, EXCEPT if the size of the file is less than 2K, larger than 256K, or has an attribute of System, Volume, or Directory set. Therefore it does not infect the two hidden system files, but it DOES infect command.com. Following the supplied eradication steps will simply remove all "live" pointers to the viral code. After eradication you may wish to use a direct disk access utility (such as Norton Utilities) to directly access the viral code existing on the last cluster on the disk and overwrite it with blanks. Another recommended final clean-up entails running a disk optimizer program that will clean out all unnecessary deleted files. It is important to remember that this virus has infected all .COM and .EXE files, even if they are tagged as deleted. Therefore if an undelete utility is used on these files, the virus can resurface. Other Facts About Dir II - Using CHKDSK to detect this virus from a clean boot will only work if there is more than one infected executible on a disk. - Dir II does not infect partitions that are accessed through a loadable device driver. - Due to the stealth characteristics of Dir II, while the virus is memory-resident all file accesses, backups, deletes, copies, etc are accomplished with no discernable problems. Also, errors resulting from execution of Dir II (such as an attempt to infect a write-protected diskette) are suppressed by the virus. - The first execution of a file causes the virus to become memory resident. Before it is resident, if a file is copied from an infected disk to an uninfected disk all that will copy will be a 1K length file containing the virus. After eradication procedures this copied file will still be a copy of the virus. Such files can be a very good clue to track where the virus originated. - If the virus is not active in memory, interaction with infected files produces unusual results. Copying an infected file will copy a file only 1K long (the virus itself). Deleting a file will mark it as deleted, not but does not affect the virus. - With the virus active in memory, formatting a disk will produce the virus in the last cluster. - Because this virus uses a new type of attack scheme, versions of most anti-viral utilities prior to October, 1991 utilities will not detect it, and cannot clean it. Since Dir II associates itself with the device drivers, programs which detect unauthorized requests to become memory resident do not detect this virus. - This virus is not compatible with all non IBM MS-DOS machine ROMS and will crash some hard disk systems immediately upon initial infection.