Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Dir II

Dir-II is a 3077>stealth virus attacking 3065>COM and EXE type files. This virus coming from Bulgaria introduced a completely new technology of attacking files. It does not alter the file contents at all, but it alters the pointer to the first allocation unit for the given file in the directory item. The directory item does not point at the beginning of the file but at the virus body. When a file modified in this way is executed the virus is activated in memory and ensures that also the infected program is executed. The infection by the virus is super fast, it is enough if a program which is not in the current directory was run. The system searches in directories accessed by means of PATH while the virus infects all items in directories being searched through. The virus exists only in one copy in the computer, and that is located in the last allocation unit of the disk. When the virus is in memory nothing suspicious is seen. When the system is loaded from a “clean” diskette, each attempt to copy a file will fail. The target directory will contain only copy of the virus body. The program CHKDSK indicates “cross linking” of files. If CHKDSK /F is executed a permanent and unrecoverable loss of data will occur. Fortunately, the original virus Dir-II is not functional with DOS 5.0 and higher. Several viruses inspired by Dir-II has appeared, as e.g. the virus Byway.

© 1992-2004 ESET s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.