New Computer Virus Attacks Everything in Path

Polymorphic "Dir.Byway" takes control of file system from DOS

BURLINGTON, MASS., Aug. 7, 1995 -- A new computer virus takes control of
disk operations from MS/PC-DOS.

"Dir.Byway" is a super-fast, polymorphic infector attacking desktop,
notebook and network computer users worldwide, according to the
industry-leading anti-virus research team at S&S Software International
Inc., maker of DR. SOLOMON'S ANTI-VIRUS TOOLKIT.

As a polymorphic, Dir.Byway mutates with each attack, making it extremely
hard to identify and kill. The virus operates as if it is a TSR (terminate
and stay resident) program. It infects .COM and .EXE files when the home
directory of an executable file is accessed.

Infections are not confined to the default home directory. Instead, the
virus infects all executables in all directories in a search path.

Also, the access does not need to launch an application; any kind of access
-- a simple directory listing, for example -- triggers the virus.

For example, if the user types "wim" instead of "win" -- the command used
to launch Microsoft Windows -- DOS searches all directories listed in the
path statement of the Autoexec.bat file, looking for wim.com, wim.exe and
wim.bat, infecting all executables in all directories along the search
path.

This ability to infect everything in its path makes Dir.Byway a
"super-fast" infector.

Unlike many computer viruses, Dir.Byway does not add its code to infected
files. Rather, it creates a file called "CHKLIST.MS" in the root directory
and cross links all infected executable files. This replaces the normal
DOS directory entries, making CHKLIST.MS the start-cluster for every
infected file.

If the user deletes the CHKLIST.MS file, it reappears when any infected
file is executed.

If the user boots from a clean DOS disk and runs CHKDSK, the computer
reports a large number of cross linked files. If booted from a hard disk,
the computer reports no errors. A listing of the root directory using the
DIR command, or DIR /ahs, shows the CHKLIST.MS file.

Triggers

The virus triggers if the current DOS date is set to the year 1996 or
above, and the day of the month is equal to the month's number multiplied
by two and two is added -- for example, 01-04-96, 02-06-96, and 12-26-96.

When triggered, the virus displays a text string every three hours, on
hours that are a multiple of three -- for example, 09:00, 12:00 and
15:00:

TRABAJEMOS TODOS POR VENEZUELA!!!

Literally translated, this means, "we are all working for Venezuela."

On multimedia systems, the text string is accompanied by a tune that
resembles Venezuela's state anthem.

Origins

Dir.Byway is named after the second of two encrypted messages contained in
the virus: "The-Hndv" and "<by:WaiChan,Aug94,UCV>."

The virus is also partly named after "DIR II," an older memory-resident
virus that similarly attacks by patching directory entries whenever
executables are accessed. DIR II propagated worldwide, but is seen less
frequently because it is not compatible with DOS 6.

Dmitry Gryaznov, a member of the S&S research team, believes the virus text
may be a jest. While it suggests Venezuela as the origin, the author
signed off as By Wai Chan, which suggests a Chinese origin.

The "hit squad" at S&S collected its first samples of the virus in late
July from sites in the United Kingdom and the United States, and warns
that the virus threatens computer users worldwide.

About S&S

The research team at S&S encounters 150-200 new viruses a month. It
provides 24-to-48-hour virus identification and, when possible, repair.

"DR. SOLOMON'S ANTI-VIRUS Tolkit is the leading European anti-virus
software, with nearly 3 million users worldwide.

The Toolkit detects and kills more than 6,700 computer viruses, including
the most complex encrypted and polymorphic viruses.

New versions of the Toolkit for DOS, Windows, OS/2 and NetWare will ship in
late summer. S&S also plans Fall 1995 introductions of TOOLKITS for
Macintosh, SCO UNIX, Windows 95, Windows NT Server and Windows NT
Workstation.

S&S Software opened offices in April near Boston and Los Angeles to sell
and support its anti-virus and security software in the U.S. The company
is a subsidiary of S&S International PLC, based in the United Kingdom. 

S&S Software International Inc
17 New England Executive Park
Burlington, MA 01803
617-273-7400,  fax 617-273-7474
CompuServe: Go Drsolomons
Internet: Support@sands.com
Tech Support: 800-595-9175
 
 =========================================================
 From the 'New Product News' Electronic News Service on...
 AOL (Keyword = New Products) and Delphi (GO COMP PROD)
 =========================================================
 This information was processed from data provided by the
 company/author mentioned. For additional details, please
 contact them directly at the address/phone# indicated.
 Trademarks are the property of their respective owners.
 =========================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  USA
 Email: rbakerpc@delphi.com  -or- RBakerPC (on AOL/Delphi)
 =========================================================
