[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dir.Byway Virus (NewsClip)

Is this legit?


New Computer Virus Attacks "Everything"

Burlington, Mass. Aug. 7 -- A new, hazardous computer virus is
spreading, that takes control of disk operations from
Microsoft MS-DOS or IBM PC-DOS based systems, the anti-virus
research team at S&S Software International is reporting. The
virus, dubbed "Dir.Byway," is described as a super-fast,
polymorphic infector affecting desktops, notebooks, and even 
computer networks.

Pat Bitton, S&S Software vice president of marketing, told
Newsbytes the virus is a very "dangerous" one. Because it is
polymorphic, it mutates with each attack, making it extremely
hard to diagnose and kill. The virus operates as if it is a
TSR (terminate and stay resident) program, infecting .COM and
.EXE files when the home directory of an executable file is
accessed, officials said.

Infections are not confined to the default home directory
either, but infects all executables in all directories of a
search path. In addition, the access does not need to launch
an application. Any kind of access triggers the virus, like
looking at a simple directory listing.

This ability to infect everything in its path makes Dir.Byway
a "super-fast" infector, officials added.

The virus creates a file called "CHKLIST . MS" (without
quotes, but with spaces surrounding the period) in the root
directory, and cross links all infected executable files,
David Emm, customer service manager, told Newsbytes. This then
replaces the normal DOS directory entries, making "CHKLIST .
MS" the start-cluster for every infected file.

If the user deletes the file, it reappears when any infected
file is executed. Also, if the user boots from a clean DOS
disk and runs "CHKDSK," the computer will report a large
number of cross-linked files. If the user boots from the
infected hard drive, the computer will report no errors. A
listing of the root directory using the command "dir/ahs"
(without quotes) will show the "CHKLIST . MS" file.

Dir.Byway triggers if the current DOS date is set to the year
1996 or above, and the day of the month is equal to the
month's number multiplied by two and two is added, like in
01-14-96 or 12-26-96. When triggered, the virus displays a
string of text every three hours, on hours that are a multiple
of three in military time -- for example, 09:00, 12:00, and
18:00. The text says: "Trabajeoms Todos Por Venezuela." S&S
officials said this translates to "We are all working for
Venezuela." On multimedia systems, this is accompanied by a
song that resembles the country's national anthem.

Emm said he is more worried about the spread of the virus for
now than the triggering of it, because it is so dangerous. He
told Newsbytes the virus has been detected in the United
Kingdom and the United States.

Bitton said the company's "Dr. Solomon's Anti-Virus Toolkit"
will remove the virus from infected computers. New versions of
the Toolkit for DOS, Windows, OS/2, and NetWare are slated to
ship in late summer. S&S also plans Fall 1995 introductions of
Toolkits for Macintosh, SCO Unix, Windows 95, and Windows NT
server and workstations.