| Alias: | Creeping Death |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | File-system infector, resident |
| Length: | 61 paragraph(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | PC's |
| Caroname: | Dir_II |
Attributes | |
| Easy identification: | |
Type of Infection: | Bootsector infection. Virus stored in bad cluster. Selfrec in memory: None Selfrec on disk: If directory entry has already been modified by theinfector, file has already been hit. |
| Infection Technique: | |
| Infection Trigger: | DriverCallINFECTION_CRIT: The virus intercepts driver calls, inspecting theI/O buffer for what appear to be directory entries.Anything that looks like the directory entry for aplain file with extension COM or EXE has theFirstCluster of its directory entry adjusted topoint to the (single) instance of the viral codeon disc. The original FirstCluster value is encryptedand stored into an unused portion of the directoryentry for use by the stealther. |
| Storage Media affected: | |
| Interrupts hooked: | None |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: None Permanent: None |
| Damage Trigger: | Transient: n/a Permanent: n/a |
| Particularities: | shrinks the current MCB, and creates a new MCB in the released space - copying the original MCB marker. None Displayed text: None Not displayed text: None Infected files can be recovered with a very neattrick. With the virus resident, rename *.EXE and*.COM to *.EEE and *.CCC. This causes the stealtherto recover the original directory entry; when theentry is rewritten to implement the name change,the infector ignores the file because its name endsin neither COM nor EXE.Having done this, boot clean and rename *.EEE and*.CCC back to their righful names.One warning: the virus writes its own code to thelast non-bad cluster of the drive. Any data storedthere before is gone forever. In the (unlikely)event that a restored program file originally *started*in that cluster, the restored program will containthe viral code, overwritten at the start of the file.In other words, that file is now permanently infectedand must be deleted. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg