Filehider

Classification

Malware

Virus

-

Filehider, 789 tai

Summary

Filehide causes the files in the current directory to be hidden on fridays.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The virus only works if the major number of DOS version is higher than 1 and the minor number is higher than 2. Virus uses INT 21h/AX=A1D5h as an "Are-you-there" call. If AH=900Dh is returned, the virus is resident. Virus allocates 800 bytes of memory using DOS alloc functions. The 789 bytes of the viruscode is copied there. Execution continues in the copy.

When virus hook INT 21h, it checks the first byte of the original interrupt handler. If it is PUSHF, the whole INT 21h segment is searched for the first occurence of the command JMP FAR [####] and the destination vector is fetched from there.

This is repeated as many times as possible. The intention is to get an INT 21h vector which is not exiting via JMP FAR [####]. Using this method, it is very easy for the wrong vector to be fetched, if such far-jumps exist in the searched segments.

The virus revectors INT FFh to point to original INT 21h handler, and uses INT FFh to access DOS. The INT 21h handler of the virus exits to DOS by pushing the previous vector and doing IRET (the flags are already on the stack because the first instruction of the handler is PUSHF).

The virus is kept resident by fiddling in the DOS data table returned by INT 21h/AH=52h.

The INT 21h handler defines the residence test and intercepts DOS functions 4B00h (load/exec) and 3Dh (open file) to infect files. Only COM files are infected. Virus checks that there is enough available disk space left for the infection. File attribute is cleared and date/time are preserved except the seconds field is set to 58 after infection. This is used to prevent reinfection.

Files will only be infected if they are smaller than 62 KB. Infection is done by appending the viruscode to the host file. Before returning from the intercept routine (whether or not infection took place), the system date is checked and if it is a friday there is a 1:16 chance that all files in the current directory will be hidden (1:4 chance if it is friday 13th).