Freddy is a resident file virus, and infects program files by
intercepting the load-program function.
Virus uses, INT 21h/AH=FFh as an "Are-you-there" call. Virus answers
this call with AH=FEh, if it is already resident.
The virus copies itself to offset 0100 in the current segment and sets
up a local stack for it's own use. DOS calls are used to get/set the
INT 21h vector, after this all DOS calls are made by calling the old
vector.
The INT 21h handler first checks the date, and if over a month has
passed since the current host file was infected, the damage routine
takes over.
Virus intercepts the following INT 21h calls: 3Bh (chdir), 3Ch (create),
3Dh (open), 41h (delete), 43h (get/set attribute), 56h (rename), and 4Bh
(load program).
Load program first tries to infect the file being loaded. All the
intercepted calls then search the directory which is being referenced
trying to find a suitable file for infection. Up to 4 directory entries
are tried on floppy disks and up to 255 on hard disks. Virus stops
searching for a host sooner if an error occurs or a likely target is
found.
During infection a dummy critical error handler is installed. Then disk
space is checked to see whether there is room for the virus to be added.
This type of check is quite rare in viruses.
File attribute is cleared and restored afterwards. Files date/time field
is preserved. The infection signature for files with an EXE header is
the command XCHG AH,AL at initial entry point. For COM files, the marker
is byte FFh at offset 3 of the file.
COM files are not infected if they are smaller than 256 bytes or so big
that the infected file would become larger than 65535 bytes. EXE files
are filled to the next paragraph boundary.
Virus infects files by appending it's own code to the host files,
except for COMMAND.COM. When the command interpreter is infected,
the virus overwrites the last 1793 bytes of the file, increasing the
program by only 77 bytes. Other programs are increased by 1870 bytes.
The damage routine starts with 21 NOP instructions in a row. A dummy
critical error handler is installed by overwriting the original vector.
Drive C: is reset to see if it is present, otherwise the current drive
is used. Virus hangs the computer hung immediately if there is an error
finding the current drive.
Next, the boot sector is read to memory. The start sector of the root
directory is calculated from the boot parameter block. Then the
virus overwrites the original boot sector with 16 identical directory
entries, which look like this:
FREDDY KRG 0
FREDDY KRG 0
FREDDY KRG 0
Date and time fields are not shown, since they are set to zeroes.
This directory entry list is contained in the virus body as encrypted.
After the damage the computer is hung with an endless loop.
