F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Flash





NAME:Flash
ORIGIN:Germany
SIZE:688
TYPE:Resident COM/EXE-files
REPAIR:Yes

Not yet analyzed.

VARIANT:Gyorgy
SIZE:747
ORIGIN:Hungary

Gyorgy is a resident file virus infecting via loadexec.

The beginning of the virus code contains several jump commands, which are patched on run-time. This is probably done in order to confuse disassemblers.

During installation, Gyorgy checkes the byte at memory location 0000:0200h. If the value is 08h, virus concludes that it is already resident.

Virus is installs itself at the top of the current free memory block in a 1 kB slot using DOS memory allocation functions. Virus size is 747 bytes, and it installs itself at offset 100h in the allocated block. Reserved DOS function 55h and the PSP memory pointers are also used in the installation process. An INT 21h handler is set up and if the date is from June to December of 1990, an INT 08h handler is also set up. DOS calls are used to get/set the interrupt vectors. Virus goes resident by int 27h (TSR). There is a flag set during infection which determines the method by which exit is made into the host program.

The INT 21h handler intercepts the load/exec function to infect files. If the given filename matches "*.E*" the file is treated as an EXE file, otherwise it is treated as a COM file. COM files must be at least 1000h bytes and smaller than 0FB2Fh bytes for infection. The infection signature for COM files is 0E9h at offset 0 and 'K' at offset 3 of the file. Infection signature for EXE files is 4F4Bh at offset 12h of the file (checksum word in EXE header). Virus code is appended to the host without any padding. A dummy critical error handler is installed during infection to suppress error messages, and the file attribute is cleared and restored afterwards. File date/time is also preserved.

The INT 08h handler (which is only installed June-December 1990) counts to 65536 and then patches a word in the virus installation code (this might be a bug, it would cause subsequent generations to crash during installation) and toggles the video enable bit in the video controller 10 times with a software delay loop inbetween toggles.

At the end of the file is the text 'I LOVE GY"RGYI!'.