Threat Description

Flash

Details

Aliases:Flash
Category:Malware
Type:Virus
Platform: W32

Summary



Not yet analyzed.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:Gyorgy747

Origin:Hungary

Gyorgy is a resident file virus infecting via loadexec.

The beginning of the virus code contains several jump commands, which are patched on run-time. This is probably done in order to confuse disassemblers.

During installation, Gyorgy checkes the byte at memory location 0000:0200h. If the value is 08h, virus concludes that it is already resident.

Virus is installs itself at the top of the current free memory block in a 1 kB slot using DOS memory allocation functions. Virus size is 747 bytes, and it installs itself at offset 100h in the allocated block. Reserved DOS function 55h and the PSP memory pointers are also used in the installation process. An INT 21h handler is set up and if the date is from June to December of 1990, an INT 08h handler is also set up. DOS calls are used to get/set the interrupt vectors. Virus goes resident by int 27h (TSR). There is a flag set during infection which determines the method by which exit is made into the host program.

The INT 21h handler intercepts the load/exec function to infect files. If the given filename matches "*.E*" the file is treated as an EXE file, otherwise it is treated as a COM file. COM files must be at least 1000h bytes and smaller than 0FB2Fh bytes for infection. The infection signature for COM files is 0E9h at offset 0 and 'K' at offset 3 of the file. Infection signature for EXE files is 4F4Bh at offset 12h of the file (checksum word in EXE header). Virus code is appended to the host without any padding. A dummy critical error handler is installed during infection to suppress error messages, and the file attribute is cleared and restored afterwards. File date/time is also preserved.

The INT 08h handler (which is only installed June-December 1990) counts to 65536 and then patches a word in the virus installation code (this might be a bug, it would cause subsequent generations to crash during installation) and toggles the video enable bit in the video controller 10 times with a software delay loop inbetween toggles.

At the end of the file is the text 'I LOVEGY"RGYI!'.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More