Threat description




Freddy is a resident file virus, and infects program files by intercepting the load-program function.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Virus uses, INT 21h/AH=FFh as an "Are-you-there" call. Virus answers this call with AH=FEh, if it is already resident.

The virus copies itself to offset 0100 in the current segment and sets up a local stack for it's own use. DOS calls are used to get/set the INT 21h vector, after this all DOS calls are made by calling the old vector.

The INT 21h handler first checks the date, and if over a month has passed since the current host file was infected, the damage routine takes over.

Virus intercepts the following INT 21h calls: 3Bh (chdir), 3Ch (create), 3Dh (open), 41h (delete), 43h (get/set attribute), 56h (rename), and 4Bh (load program).

Load program first tries to infect the file being loaded. All the intercepted calls then search the directory which is being referenced trying to find a suitable file for infection. Up to 4 directory entries are tried on floppy disks and up to 255 on hard disks. Virus stops searching for a host sooner if an error occurs or a likely target is found.

During infection a dummy critical error handler is installed. Then disk space is checked to see whether there is room for the virus to be added. This type of check is quite rare in viruses.

File attribute is cleared and restored afterwards. Files date/time field is preserved. The infection signature for files with an EXE header is the command XCHG AH,AL at initial entry point. For COM files, the marker is byte FFh at offset 3 of the file.

COM files are not infected if they are smaller than 256 bytes or so big that the infected file would become larger than 65535 bytes. EXE files are filled to the next paragraph boundary.

Virus infects files by appending it's own code to the host files, except for COMMAND.COM. When the command interpreter is infected, the virus overwrites the last 1793 bytes of the file, increasing the program by only 77 bytes. Other programs are increased by 1870 bytes.

The damage routine starts with 21 NOP instructions in a row. A dummy critical error handler is installed by overwriting the original vector. Drive C: is reset to see if it is present, otherwise the current drive is used. Virus hangs the computer hung immediately if there is an error finding the current drive.

Next, the boot sector is read to memory. The start sector of the root directory is calculated from the boot parameter block. Then the virus overwrites the original boot sector with 16 identical directory entries, which look like this:





Date and time fields are not shown, since they are set to zeroes. This directory entry list is contained in the virus body as encrypted. After the damage the computer is hung with an endless loop.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info