Classification

Category: Malware

Type: Virus

Aliases: Flash

Summary


Not yet analyzed.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details



Variant:Gyorgy747

Origin:Hungary

Gyorgy is a resident file virus infecting via loadexec.

The beginning of the virus code contains several jump commands, which are patched on run-time. This is probably done in order to confuse disassemblers.

During installation, Gyorgy checkes the byte at memory location 0000:0200h. If the value is 08h, virus concludes that it is already resident.

Virus is installs itself at the top of the current free memory block in a 1 kB slot using DOS memory allocation functions. Virus size is 747 bytes, and it installs itself at offset 100h in the allocated block. Reserved DOS function 55h and the PSP memory pointers are also used in the installation process. An INT 21h handler is set up and if the date is from June to December of 1990, an INT 08h handler is also set up. DOS calls are used to get/set the interrupt vectors. Virus goes resident by int 27h (TSR). There is a flag set during infection which determines the method by which exit is made into the host program.

The INT 21h handler intercepts the load/exec function to infect files. If the given filename matches "*.E*" the file is treated as an EXE file, otherwise it is treated as a COM file. COM files must be at least 1000h bytes and smaller than 0FB2Fh bytes for infection. The infection signature for COM files is 0E9h at offset 0 and 'K' at offset 3 of the file. Infection signature for EXE files is 4F4Bh at offset 12h of the file (checksum word in EXE header). Virus code is appended to the host without any padding. A dummy critical error handler is installed during infection to suppress error messages, and the file attribute is cleared and restored afterwards. File date/time is also preserved.

The INT 08h handler (which is only installed June-December 1990) counts to 65536 and then patches a word in the virus installation code (this might be a bug, it would cause subsequent generations to crash during installation) and toggles the video enable bit in the video controller 10 times with a software delay loop inbetween toggles.

At the end of the file is the text 'I LOVE GY"RGYI!'.