Threat Descriptons



Category :


Type :


Aliases :



Not yet analyzed.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details



Gyorgy is a resident file virus infecting via loadexec.

The beginning of the virus code contains several jump commands, which are patched on run-time. This is probably done in order to confuse disassemblers.

During installation, Gyorgy checkes the byte at memory location 0000:0200h. If the value is 08h, virus concludes that it is already resident.

Virus is installs itself at the top of the current free memory block in a 1 kB slot using DOS memory allocation functions. Virus size is 747 bytes, and it installs itself at offset 100h in the allocated block. Reserved DOS function 55h and the PSP memory pointers are also used in the installation process. An INT 21h handler is set up and if the date is from June to December of 1990, an INT 08h handler is also set up. DOS calls are used to get/set the interrupt vectors. Virus goes resident by int 27h (TSR). There is a flag set during infection which determines the method by which exit is made into the host program.

The INT 21h handler intercepts the load/exec function to infect files. If the given filename matches "*.E*" the file is treated as an EXE file, otherwise it is treated as a COM file. COM files must be at least 1000h bytes and smaller than 0FB2Fh bytes for infection. The infection signature for COM files is 0E9h at offset 0 and 'K' at offset 3 of the file. Infection signature for EXE files is 4F4Bh at offset 12h of the file (checksum word in EXE header). Virus code is appended to the host without any padding. A dummy critical error handler is installed during infection to suppress error messages, and the file attribute is cleared and restored afterwards. File date/time is also preserved.

The INT 08h handler (which is only installed June-December 1990) counts to 65536 and then patches a word in the virus installation code (this might be a bug, it would cause subsequent generations to crash during installation) and toggles the video enable bit in the video controller 10 times with a software delay loop inbetween toggles.

At the end of the file is the text 'I LOVE GY"RGYI!'.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.