Cluster Viruses

Cluster viruses change the directory so that when you try to run a program you first run the virus.

There is a type of virus known as a "cluster" virus that infects your files not by changing the file or planting extra files but by changing the DOS directory information so that directory entries point to the virus code instead of the actual program. When you run a program, DOS first loads and executes the virus code, the virus then locates the actual program and executes it. Dir-2 is an example of this type of virus.

The interesting thing about this type of virus is that even though every program on the disk may be infected, because only the directory pointers are changed there is only one copy of the virus on the disk.

One can also usually classify this type of virus as a fast infector. On any file access, the entire current directory will be infected and, if the DOS path must be searched, all directories on the path will be typically infected.

This type of virus can cause serious problems if you don't know it's there. While the virus is in memory, it controls access to the directory structure on the disk. If you boot from a clean floppy disk, however, and then run a utility such as CHKDSK the utility will report serious problems with cross-linked files on your disk. Most such utilities will offer to correct the problem and users, not knowing any better, often accept the offer. Unfortunately, in the case of this virus type, if you accept the offer you will end up with all your executable files the same length and each one will be the virus code. Your original programs will be lost.

These viruses often use stealth techniques to hide their presence. If you attempt to read the file, the virus will intercept the request and return your original uninfected program to you.

This can sometimes be used to your advantage. If you have a stealth cluster virus (such as Dir-2), you can copy your program files (*.EXE and *.COM files) to files with other extensions and allow the virus to automatically disinfect them! If you "COPY *.COM *.CON" and "COPY *.EXE *.EXX", and then cold boot your PC from a known good copy of DOS and "REN *.CON *.COM" and "REN *.EXX *.EXE", this will effectively disinfect the renamed files. Note: This information is presented as an example of a technique that might be used in an emergency when no anti-virus software is available. It's always best to use anti-virus software to clear a virus infection.


A cluster virus changes the directory so the virus is run before any "infected" programs.

If you boot without the virus in memory a DOS utility will report serious problems, but allowing it to fix them will effectively erase any "infected" programs.