|Creator||"V.P." and "S.K."|
|Place of Origin||Varna, Bulgaria|
|File Type(s)||.com, .exe|
|Infection Length||1,024 bytes|
The Dir-II virus is the first DOS cluster virus. It infects directory entries. In the early 1990's it managed to spread over a significant portion of the globe.
When a file with a Dir-II infected directory entry is executed on a clean system, the virus is installed in memory. When an uninfected disk is accessed, the virus writes itself to the last cluster of the disk. Any data on this cluster will be overwritten. If the disk is a high-density diskette, the virus will store itself on two clusters, as the clusters of these diskettes have only 512 bytes.
Directory entries marked as deleted are infected if they belong to .com or .exe files. If the files they belong to are undeleted, the system will be reinfected. Directory entries of files that are smaller than 2,048 bytes will not be infected. It will also avoid files larger than 4 megabytes.
The virus was prevalent in Bulgaria as well as many of the former Eastern Bloc nations, particularly Poland, Hungary, Yugoslavia and the USSR. It was also reported in Norway and Taiwan.
The virus was created by two high school students in Varna, Bulgaria, known as "V.P." and "S.K.". They had created a few viruses before Dir-II, including Shake, Dir and MG. When asked why, they said, "because it's so interesting!". A citizen of Varna first reported the virus on a FidoNet virus conference, but no one took it seriously at the time.
In spite of the fact that it is not a variant of the original Dir, it was called Dir-II probably because it came from the same author. The creators wanted to call it "Creeping Death", which at least one virus researcher thought was inappropriate, as the virus does not creep (it spread very fast) nor does it bring death (no destructive payload). In the FidoNet message from Varna, the virus was called "MG series II". "Cluster virus" was another proposed name.
Paul Ducklin. University of Hamburg, Virus Research Centre, Dir II.
-. Bulgarian Academy of Sciences, Laboratory of Computer Virology, The Bulgarian and Soviet Virus Factories. 1991