Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Freddy


Aliases:


Freddy

Malware
Virus
W32

Summary

Freddy is a resident file virus, and infects program files by intercepting the load-program function.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Virus uses, INT 21h/AH=FFh as an "Are-you-there" call. Virus answers this call with AH=FEh, if it is already resident.

The virus copies itself to offset 0100 in the current segment and sets up a local stack for it's own use. DOS calls are used to get/set the INT 21h vector, after this all DOS calls are made by calling the old vector.

The INT 21h handler first checks the date, and if over a month has passed since the current host file was infected, the damage routine takes over.

Virus intercepts the following INT 21h calls: 3Bh (chdir), 3Ch (create), 3Dh (open), 41h (delete), 43h (get/set attribute), 56h (rename), and 4Bh (load program).

Load program first tries to infect the file being loaded. All the intercepted calls then search the directory which is being referenced trying to find a suitable file for infection. Up to 4 directory entries are tried on floppy disks and up to 255 on hard disks. Virus stops searching for a host sooner if an error occurs or a likely target is found.

During infection a dummy critical error handler is installed. Then disk space is checked to see whether there is room for the virus to be added. This type of check is quite rare in viruses.

File attribute is cleared and restored afterwards. Files date/time field is preserved. The infection signature for files with an EXE header is the command XCHG AH,AL at initial entry point. For COM files, the marker is byte FFh at offset 3 of the file.

COM files are not infected if they are smaller than 256 bytes or so big that the infected file would become larger than 65535 bytes. EXE files are filled to the next paragraph boundary.

Virus infects files by appending it's own code to the host files, except for COMMAND.COM. When the command interpreter is infected, the virus overwrites the last 1793 bytes of the file, increasing the program by only 77 bytes. Other programs are increased by 1870 bytes.

The damage routine starts with 21 NOP instructions in a row. A dummy critical error handler is installed by overwriting the original vector. Drive C: is reset to see if it is present, otherwise the current drive is used. Virus hangs the computer hung immediately if there is an error finding the current drive.

Next, the boot sector is read to memory. The start sector of the root directory is calculated from the boot parameter block. Then the virus overwrites the original boot sector with 16 identical directory entries, which look like this:

FREDDY   KRG         0
FREDDY   KRG         0
FREDDY   KRG         0

Date and time fields are not shown, since they are set to zeroes. This directory entry list is contained in the virus body as encrypted. After the damage the computer is hung with an endless loop.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.