Threat description




Not yet analyzed.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details



Gyorgy is a resident file virus infecting via loadexec.

The beginning of the virus code contains several jump commands, which are patched on run-time. This is probably done in order to confuse disassemblers.

During installation, Gyorgy checkes the byte at memory location 0000:0200h. If the value is 08h, virus concludes that it is already resident.

Virus is installs itself at the top of the current free memory block in a 1 kB slot using DOS memory allocation functions. Virus size is 747 bytes, and it installs itself at offset 100h in the allocated block. Reserved DOS function 55h and the PSP memory pointers are also used in the installation process. An INT 21h handler is set up and if the date is from June to December of 1990, an INT 08h handler is also set up. DOS calls are used to get/set the interrupt vectors. Virus goes resident by int 27h (TSR). There is a flag set during infection which determines the method by which exit is made into the host program.

The INT 21h handler intercepts the load/exec function to infect files. If the given filename matches "*.E*" the file is treated as an EXE file, otherwise it is treated as a COM file. COM files must be at least 1000h bytes and smaller than 0FB2Fh bytes for infection. The infection signature for COM files is 0E9h at offset 0 and 'K' at offset 3 of the file. Infection signature for EXE files is 4F4Bh at offset 12h of the file (checksum word in EXE header). Virus code is appended to the host without any padding. A dummy critical error handler is installed during infection to suppress error messages, and the file attribute is cleared and restored afterwards. File date/time is also preserved.

The INT 08h handler (which is only installed June-December 1990) counts to 65536 and then patches a word in the virus installation code (this might be a bug, it would cause subsequent generations to crash during installation) and toggles the video enable bit in the video controller 10 times with a software delay loop inbetween toggles.

At the end of the file is the text 'I LOVE GY"RGYI!'.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info