%%File: VIRS0301.TXT %%Name/Aliases: Dir II, Dir 2, MG series II, Creeping Death, DRIVER- 1024, Cluster, D2, Dir2 %%Platform: PC/MS-DOS %%Type: Program., Memory resident., Encrypted/Stealth The virus actively hides., %%Disk Location: COM application., EXE application., COMMAND.COM. %%Features: Encrypted, Direct acting. %%Damage: Encrypts the file directory., Corrupts the file linkages or the FAT., Overwrites sectors on the Hard Disk. %%Size: Adds File 1024, places virus code in last cluster of infected disk and changes directory structure to have the cluster pointer of an executible file point to the viral executible. %%See Also: %%Notes: Cannot infect NetWare volumes, MS-Windows crashes upon infection This virus modifies entries in the directory structure, causing the computer to jump to the virus code before execution of the program begins. This virus also uses stealth techniques to hide its existance in memory. Initial infection occurs when a file with an infected directory is executed. The virus becomes memory resident by appearing to be a disk device driver, and puts a copy of itself on the last cluster defined as "good" in the disk. It then infects all .EXE and .COM file directory entries by scrambling the original cluster pointer, placing it in an unused section of the directory structure, and replacing the cluster with a pointer to the virus. There are 5 variants (11/20/91). NOTE: This works on MS DOS ver 3.0- 5.00.223-beta but does not work on true 5.0 version. and it has a bug in 3.31. At least one variant works under 5.0 With virus not active in memory, CHKDSK reports many cross-linked files and lost file chains, and copied infected files are only 1024 bytes long or the size one 1 cluster, usually 1 K; backups disks and other full disks can become corrupted when virus writes to the last cluster. With virus not active in memory, CHKDSK -F or Norton Disk Doctor will destroy most executible files on the disk. Detect with: DDI Data Physician V 3.0B, McAfee's CLEAN v84, Microcom's VIRx 1.8, F-PROT 2.01, Dr. Solomon's Anti-virus Toolkit V 5.13, Manual method described below. These 4 detection steps are independant of each other: 1. Boot from a known clean floppy and run CHKDSK with no parameters. An indication of infection is a report of many cross-linked files and lost file chains. 2. WITH VIRUS ACTIVE IN MEMORY, perform a DIR. Now boot from a known clean floppy and perform a DIR. If the size of executible files changes between the two, it is fairly certain the virus is present. 3. With virus ACTIVE in memory, try to delete a file from a write protected diskette. If you don't get an error message, it is a sign of infection. 4. Format a new diskette and look at its map with PC Tools. If one cluster of the diskette is allocated (not bad) and it is at the end of the diskette, then it is probable the virus is resident and active in memory DDI Data Physician V 3.0B, McAfee's CLEAN v84, Bontchev's DIR2CLR Use this 5-step process (Anti viral program versions prior to October 1991 are inadequate to find/eradicate this virus: 1. With DIR II active in memory, use the COPY command (RENAME command may also work, but COPY is more definitive) to copy all .EXE and .COM files to another file with a different extension. Example COPY file.EXE file.VXE 2. Reboot system from a clean, write protected diskette to ensure the system does NOT have the virus in memory. 3. Delete all files with extensions of .EXE and .COM. This will remove all pointers to the virus. 4. Rename all executibles to their original names. Example RENAME file.VXE file.EXE 5. Examine all these executibles you have just restored with the DIR command. if any are 1K in length, they are probably a copy of the virus and must be destroyed. After eradication it may be desirable to now run CHKDSK /f or another disk optimization utility to ensure the virus is no longer anywhere on the disk.