_____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin

       Dir II Virus on MS DOS Computers

October 18, 1991, 15:30 PDT           Number C-2

         Critical Dir II Virus Facts
_________________________________________________________________________
Name: Dir II virus
Aliases: Dir-2, MG series II, Creeping Death, DRIVER-1024, Cluster
Virus Type: Directory infector with stealth characteristics
Variants: Unsubstantiated reports exist for two variants
Platform: MS-DOS computers 
Damage: May destroy all .EXE and .COM files and backup diskettes,
  crash some lookalike systems, CHKDSK /F destroys all
  executible files
Symptoms: CHKDSK reports many cross-linked files and lost file chains
  can corrupt backups, copied files are only 1024 bytes long,
  more (see below)
First Discovered: May 1991 in Bulgaria
Eradication: Perform a series of simple DOS commands (see below)
_________________________________________________________________________

The Dir II virus presents a new type of MS-DOS virus called a
directory infector.  This virus modifies entries in the directory
structure, causing the computer to jump to the virus code before
execution of a program begins.  Also, this virus utilizes stealth
techniques to hide its existence in memory.

How Infection Occurs

Initial hard disk infection occurs when a file with an infected
directory is executed.  The virus establishes itself in memory and
puts a copy of itself on the last cluster of the disk.  Once the virus
is active in memory, executing any file (infected or not) will cause
the virus to infect the directory entry of ALL .EXE and .COM files in
the current directory and in the directories listed in the PATH
variable.  Additional detailed information on the infection technique
is included in the appendix at the end of this bulletin.

Potential Damage 

If there is currently information residing on the last cluster of the
disk, this virus will overwrite it upon installation.  Since most
backup utilities fill diskettes to capacity, backups are prone to
immediate corruption upon initial infection.

The most damaging characteristic of this virus occurs if a user boots
>from a clean diskette and attempts to run a disk optimizer program
such as CHKDSK /F, Norton Disk Doctor, or other similar utility
programs.  When such a program attempts to "fix" the disk, all
infected executibles will "become" the virus, effectively destroying
the original file!

Detection

Although current versions of many common anti-viral utilities will not
detect this virus and are unable to remove it, manual detection can be
performed using the following methods:

1. Boot from the suspect infected hard disk.  With the suspected virus
   active in memory, execute the command CHKDSK with NO arguments.
   Then reboot from a clean, write protected diskette (such as the
   original DOS diskette), and execute the command CHKDSK with no
   arguments again.  If many cross-linked files and lost file chains
   are reported during the second CHKDSK and not the first, it is an
   indication of infection.

2. Boot from the suspected infected hard disk.  With the suspected
   virus active in memory, use the COPY command to copy suspect files
   with the extension .EXE or .COM.  Examine the file length of these
   copied files by using the DIR command, then reboot from a clean,
   write protected diskette and perform the same copy command(s).  If
   the file length of the second copy is very small (around 1K) but
   the file length of the first copy is much larger, you may be
   infected with the Dir II virus.

Eradication

To manually eradicate this virus, follow these steps for every
infected disk and diskette:

1. While Dir II is active in memory, use the COPY command to copy all
   .EXE and .COM files to files with a different extension.  
   Example:  COPY filename.com filename.vom

2. Reboot system from a clean, write protected diskette to ensure the
   system does not have the virus in memory.

3. Delete all files with extensions of .EXE and .COM.  This will
   remove all pointers to the virus.

4. Rename all executibles to their original names. 
   Example: RENAME filename.vom filename.com

5. Examine all these executibles you have just restored.  If any are
   1K in length, they probably are a copy of the virus.  Destroy any
   executibles of this size.

For additional information or assistance, please contact CIAC:

Karyn Pichnarczyk
(510) 422-1779 **or (FTS) 532-1779
karyn@cheetah.llnl.gov

Send e-mail to ciac@llnl.gov or call CIAC at 
(510) 422-8193**/(FTS)532-8193.  

**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.

CIAC would like to thank Bill Kenny of DDI for his help with this
bulletin.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer,
or otherwise, does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States
Government or the University of California.  The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.


         Appendix: Detailed DIR II Information

The DOS directory structure contains the following entries: filename,
extension, attribute, time, date, cluster, filesize, and an unused
area; the cluster entry is the pointer to where the actual file exists
on the disk.  Dir II infects the directory structure by scrambling the
original cluster entry and storing it in part of the unused area, then
placing a pointer to the viral code in the cluster entry.  Thus when a
program is executed, the computer executes the viral code, the virus
decrypts the original cluster entry, then the virus allows the
original program to proceed.

Upon initial infection, the virus links itself into the device driver
chain, copying itself to the last cluster (or last two clusters, if
cluster size is less than 1024 bytes) on the disk and infects the
directory structure of all .EXE and .COM files residing in the current
directory and all directories defined in the path.  The virus infects
all files with .EXE or .COM as an extension whether or not they are
executible, EXCEPT if the size of the file is less than 2K, larger
than 256K, or has an attribute of System, Volume, or Directory set.
Therefore it does not infect the two hidden system files, but it DOES
infect command.com.

Following the supplied eradication steps will simply remove all "live"
pointers to the viral code.  After eradication you may wish to use a
direct disk access utility (such as Norton Utilities) to directly
access the viral code existing on the last cluster on the disk and
overwrite it with blanks.  Another recommended final clean-up entails
running a disk optimizer program that will clean out all unnecessary
deleted files.  It is important to remember that this virus has
infected all .COM and .EXE files, even if they are tagged as deleted.
Therefore if an undelete utility is used on these files, the virus can
resurface.

Other Facts About Dir II

- Using CHKDSK to detect this virus from a clean boot will only work
  if there is more than one infected executible on a disk.

- Dir II does not infect partitions that are accessed through a
  loadable device driver.

- Due to the stealth characteristics of Dir II, while the virus is
  memory-resident all file accesses, backups, deletes, copies, etc are
  accomplished with no discernable problems.  Also, errors resulting
  from execution of Dir II (such as an attempt to infect a
  write-protected diskette) are suppressed by the virus.

- The first execution of a file causes the virus to become memory
  resident.  Before it is resident, if a file is copied from an
  infected disk to an uninfected disk all that will copy will be a 1K
  length file containing the virus.  After eradication procedures this
  copied file will still be a copy of the virus.  Such files can be a
  very good clue to track where the virus originated.

- If the virus is not active in memory, interaction with infected
  files produces unusual results.  Copying an infected file will copy
  a file only 1K long (the virus itself).  Deleting a file will mark
  it as deleted, not but does not affect the virus.

- With the virus active in memory, formatting a disk will produce the
  virus in the last cluster.

- Because this virus uses a new type of attack scheme, versions of
  most anti-viral utilities prior to October, 1991 utilities will not
  detect it, and cannot clean it.  Since Dir II associates itself with
  the device drivers, programs which detect unauthorized requests to
  become memory resident do not detect this virus.

- This virus is not compatible with all non IBM MS-DOS machine ROMS
  and will crash some hard disk systems immediately upon initial
  infection.