Threat Description

Freddy

Details

Aliases:Freddy
Category:Malware
Type:Virus
Platform: W32

Summary



Freddy is a resident file virus, and infects program files by intercepting the load-program function.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Virus uses, INT 21h/AH=FFh as an "Are-you-there" call. Virus answers this call with AH=FEh, if it is already resident.

The virus copies itself to offset 0100 in the current segment and sets up a local stack for it's own use. DOS calls are used to get/set the INT 21h vector, after this all DOS calls are made by calling the old vector.

The INT 21h handler first checks the date, and if over a month has passed since the current host file was infected, the damage routine takes over.

Virus intercepts the following INT 21h calls: 3Bh (chdir), 3Ch (create), 3Dh (open), 41h (delete), 43h (get/set attribute), 56h (rename), and 4Bh (load program).

Load program first tries to infect the file being loaded. All the intercepted calls then search the directory which is being referenced trying to find a suitable file for infection. Up to 4 directory entries are tried on floppy disks and up to 255 on hard disks. Virus stops searching for a host sooner if an error occurs or a likely target is found.

During infection a dummy critical error handler is installed. Then disk space is checked to see whether there is room for the virus to be added. This type of check is quite rare in viruses.

File attribute is cleared and restored afterwards. Files date/time field is preserved. The infection signature for files with an EXE header is the command XCHG AH,AL at initial entry point. For COM files, the marker is byte FFh at offset 3 of the file.

COM files are not infected if they are smaller than 256 bytes or so big that the infected file would become larger than 65535 bytes. EXE files are filled to the next paragraph boundary.

Virus infects files by appending it's own code to the host files, except for COMMAND.COM. When the command interpreter is infected, the virus overwrites the last 1793 bytes of the file, increasing the program by only 77 bytes. Other programs are increased by 1870 bytes.

The damage routine starts with 21 NOP instructions in a row. A dummy critical error handler is installed by overwriting the original vector. Drive C: is reset to see if it is present, otherwise the current drive is used. Virus hangs the computer hung immediately if there is an error finding the current drive.

Next, the boot sector is read to memory. The start sector of the root directory is calculated from the boot parameter block. Then the virus overwrites the original boot sector with 16 identical directory entries, which look like this:

FREDDYKRG0
FREDDYKRG0
FREDDYKRG0

Date and time fields are not shown, since they are set to zeroes. This directory entry list is contained in the virus body as encrypted. After the damage the computer is hung with an endless loop.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More