Content
Dir Virus
- Type
- Virus
- SubType
- File Infector
- Discovery Date
- 01/01/1991
- Length
- 691 Bytes
- Minimum DAT
- 4002 (12/02/1998)
- Updated DAT
- 4002 (12/02/1998)
- Minimum Engine
- 5.1.00
- Description Added
- 01/15/1991
- Description Modified
- 01/15/1991 12:00 AM (PT)
Tab Navigation
Characteristics
Dir is a stealth, memory resident, file infecting virus. It infects .COM files, including COMMAND.COM.
Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 1,008 bytes. Interrupt 21 is hooked by the virus. COMMAND.COM is infected at this time.
Once the Dir Virus is memory resident, it only infects .COM files when a DOS DIR command is performed. It does not infect files on execution, or when .COM files are opened. When a DIR command is performed, the first uninfected .COM file that is found in the directory becomes infected.
Additional Comments:
The Dir Virus was submitted in January, 1991. It originated in the
USSR. The Dir Virus is a memory resident infector of .COM programs,
including COMMAND.COM.
The first time a program infected with the Dir Virus is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,008 bytes. Interrupt 21 will be hooked by the virus. If
COMMAND.COM is not already infected, it will become infected at this
time.
After the Dir Virus is memory resident, it will only infect .COM
programs when a DOS DIR command is performed. It does not infect
programs on execution, or when .COM files are opened. When a DIR
command is performed, the first uninfected .COM program that is
found in the directory will become infected. When the virus infects
a .COM file, there will be a pause in the output of the DIR command
while the program is being infected, then the output will continue.
Infected programs will increase in size by 691 bytes, though the
file length increase cannot be seen when a directory command is
performed if the virus is memory resident. The virus will be
located at the end of infected programs. Infected programs will not
have their date and time altered by the virus.
Systems infected with the Dir Virus will receive file allocation
errors when the DOS CHKDSK program is executed on a drive containing
infected programs. If the virus is not memory resident, these
errors will not be found. Execution of the DOS CHKDSK program with
the /F option when the virus is memory resident will result in
corruption of the infected programs.
This virus does not appear to contain any activation mechanism.
Symptoms
Systems infected with the Dir Virus receive file allocation errors when the DOS CHKDSK program is executed on a drive containing infected files. If the virus is not memory resident, these errors are not found. Execution of the DOS CHKDSK program with the /F option when the virus is memory resident results in corruption of the infected files.
When the virus infects a .COM file, there is a pause in the output of the DIR command while the file is being infected, then the output continues.
Infected files increase in size by 691 bytes. The file length increase cannot be seen when a directory command is performed if the virus is memory resident (Stealth technique). The virus is located at the end of infected files. Infected files do not have their date and time altered by the virus.
Method of Infection
The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.
Removal
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
Additional Windows ME/XP removal considerations
Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.
AVERT Recommended Updates :
* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )
* scriptlet.typelib/Eyedog vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- 691
Characteristics
Characteristics -
Dir is a stealth, memory resident, file infecting virus. It infects .COM files, including COMMAND.COM.
Upon infection, the virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 1,008 bytes. Interrupt 21 is hooked by the virus. COMMAND.COM is infected at this time.
Once the Dir Virus is memory resident, it only infects .COM files when a DOS DIR command is performed. It does not infect files on execution, or when .COM files are opened. When a DIR command is performed, the first uninfected .COM file that is found in the directory becomes infected.
Additional Comments:
The Dir Virus was submitted in January, 1991. It originated in the
USSR. The Dir Virus is a memory resident infector of .COM programs,
including COMMAND.COM.
The first time a program infected with the Dir Virus is executed,
the virus will install itself memory resident as a low system memory
TSR of 1,008 bytes. Interrupt 21 will be hooked by the virus. If
COMMAND.COM is not already infected, it will become infected at this
time.
After the Dir Virus is memory resident, it will only infect .COM
programs when a DOS DIR command is performed. It does not infect
programs on execution, or when .COM files are opened. When a DIR
command is performed, the first uninfected .COM program that is
found in the directory will become infected. When the virus infects
a .COM file, there will be a pause in the output of the DIR command
while the program is being infected, then the output will continue.
Infected programs will increase in size by 691 bytes, though the
file length increase cannot be seen when a directory command is
performed if the virus is memory resident. The virus will be
located at the end of infected programs. Infected programs will not
have their date and time altered by the virus.
Systems infected with the Dir Virus will receive file allocation
errors when the DOS CHKDSK program is executed on a drive containing
infected programs. If the virus is not memory resident, these
errors will not be found. Execution of the DOS CHKDSK program with
the /F option when the virus is memory resident will result in
corruption of the infected programs.
This virus does not appear to contain any activation mechanism.
Symptoms
Symptoms -
Systems infected with the Dir Virus receive file allocation errors when the DOS CHKDSK program is executed on a drive containing infected files. If the virus is not memory resident, these errors are not found. Execution of the DOS CHKDSK program with the /F option when the virus is memory resident results in corruption of the infected files.
When the virus infects a .COM file, there is a pause in the output of the DIR command while the file is being infected, then the output continues.
Infected files increase in size by 691 bytes. The file length increase cannot be seen when a directory command is performed if the virus is memory resident (Stealth technique). The virus is located at the end of infected files. Infected files do not have their date and time altered by the virus.
Method of Infection
Method of Infection -
The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.
Removal -
Removal -
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
Additional Windows ME/XP removal considerations
Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.
AVERT Recommended Updates :
* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )
* scriptlet.typelib/Eyedog vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
Variants
Variants -
N/A
