Classification

Category :

Malware

Type :

Virus

Aliases :

Freddy

Summary

Freddy is a resident file virus, and infects program files by intercepting the load-program function.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Virus uses, INT 21h/AH=FFh as an "Are-you-there" call. Virus answers this call with AH=FEh, if it is already resident.

The virus copies itself to offset 0100 in the current segment and sets up a local stack for it's own use. DOS calls are used to get/set the INT 21h vector, after this all DOS calls are made by calling the old vector.

The INT 21h handler first checks the date, and if over a month has passed since the current host file was infected, the damage routine takes over.

Virus intercepts the following INT 21h calls: 3Bh (chdir), 3Ch (create), 3Dh (open), 41h (delete), 43h (get/set attribute), 56h (rename), and 4Bh (load program).

Load program first tries to infect the file being loaded. All the intercepted calls then search the directory which is being referenced trying to find a suitable file for infection. Up to 4 directory entries are tried on floppy disks and up to 255 on hard disks. Virus stops searching for a host sooner if an error occurs or a likely target is found.

During infection a dummy critical error handler is installed. Then disk space is checked to see whether there is room for the virus to be added. This type of check is quite rare in viruses.

File attribute is cleared and restored afterwards. Files date/time field is preserved. The infection signature for files with an EXE header is the command XCHG AH,AL at initial entry point. For COM files, the marker is byte FFh at offset 3 of the file.

COM files are not infected if they are smaller than 256 bytes or so big that the infected file would become larger than 65535 bytes. EXE files are filled to the next paragraph boundary.

Virus infects files by appending it's own code to the host files, except for COMMAND.COM. When the command interpreter is infected, the virus overwrites the last 1793 bytes of the file, increasing the program by only 77 bytes. Other programs are increased by 1870 bytes.

The damage routine starts with 21 NOP instructions in a row. A dummy critical error handler is installed by overwriting the original vector. Drive C: is reset to see if it is present, otherwise the current drive is used. Virus hangs the computer hung immediately if there is an error finding the current drive.

Next, the boot sector is read to memory. The start sector of the root directory is calculated from the boot parameter block. Then the virus overwrites the original boot sector with 16 identical directory entries, which look like this:

FREDDY
 KRG
 0 FREDDY
 KRG
 0 FREDDY
 KRG
 0

Date and time fields are not shown, since they are set to zeroes. This directory entry list is contained in the virus body as encrypted. After the damage the computer is hung with an endless loop.