58 Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk?
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
58 Can I contract a virus on my PC by performing a "DIR" of an infected floppy disk?
Assuming the PC you are using is virus free before you perform the DIR
command, then the answer is "No".
When you perform a DIR, the contents of the boot sector of the diskette
are loaded into a buffer for use in determining disk layout etc, and
certain antivirus products will scan these buffers. If a boot sector
virus has infected your diskette, the virus code will be contained in
the buffer, which may cause some antivirus packages to produce a message
like "xyz virus found in memory...". In fact, the virus is not a threat
at this point since control of the CPU is never passed to the virus code
residing in the buffer. Even though the virus is really not a threat at
this point, this message should not be ignored. If you get a message
like this, and then reboot from a clean DOS diskette (see G8) and scan
your hard-drive and find no virus, then you know that the false positive
was caused by an infected boot-sector loaded into a buffer, and the
diskette should be disinfected before use. The use of DIR will not
infect a clean system, even if the diskette it is being performed on
does contain a virus (see C8 also). Please note, however, that running
DIR on a diskette can result in the infection of a clean diskette if the
PC is already infected.
Despite our categorical "No" answer above, there is a small risk that a
virus infection could be transferred from a floppy through a DIR
listing. If you use an ANSI console driver that allows key remapping,
it is possible that a specially prepared diskette could reprogram your
keyboard so that pressing a particular key caused an infected program on
the diskette to run the next time the reprogrammed key was pressed. The
risk of such an attack is very low and can easily be negated following
the general advice for preventing ANSI bombs (see B14).
Mac users with system software prior to version 7.0 should be aware of a
greater threat in their environment. Various system resources (which
can contain executable code) are loaded from the automatic access to a
diskette that is part of the system building its desktop view of the
diskette's contents. When such a resource is required, the most
recently loaded one will be used. Thus, if a diskette with a virus-
infected resource in the Desktop file is in your Mac's drive, and an
uninfected copy of that resource has not subsequently loaded from
elsewhere, the next time that resource is required the infected copy
will be executed, along with the virus. This kind of attack was removed
with the introduction of version 7.0 (and later) of the system software,
which handles such things quite differently. A common Mac virus, WDEF,
uses this infection path, as do a few others.
Early versions of AmigaDOS are susceptible to a threat similar to the
Mac WDEF virus--on inserting a diskette into the drive, the operating
system runs the Disk Validator from the diskette. At least one Amiga
virus, Saddam, attaches itself to Disk Validator to help it spread.
Version 2.0 of AmigaDOS eliminated the threat of this type of attack by
removing the need for the Disk Validator.
Continue to:
My Books
