Freddy Virus


 Virus Name:  Freddy 
 Aliases:    
 V Status:    Rare 
 Discovered:  December, 1992 
 Symptoms:    .COM & .EXE file growth; TSR 
 Origin:      Brazil 
 Eff Length:  1,870 - 1,884 Bytes 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, F-Prot, IBMAV, ViruScan, Sweep, NAVDX, 
                    NAV, VAlert, PCScan, ChAV, 
                    Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N, 
                    NAV/N, NShld 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Freddy virus was received in December, 1992 and is originally 
       from Brazil.  Freddy is a memory resident infector of .COM, .EXE, 
       and overlay files.  It will also infect COMMAND.COM.  It is based 
       on the Jerusalem virus, and some anti-viral programs may identify 
       it as such. 
 
       When the first Freddy infected program is executed, the Freddy 
       virus will install itself memory resident as a low system memory 
       TSR of 2,912 bytes, hooking interrupt 21.  It will also infect 
       one .COM program in the current directory at this time. 
 
       Once the Freddy virus is memory resident, it will infect any 
       program executed by the user, plus one additional .COM program 
       located in the current directory.  Infected .COM programs, other 
       than COMMAND.COM, will have a file length increase of 1,870 bytes. 
       COMMAND.COM will increase in size by a much smaller amount as the 
       virus will overwrite some of the slack (hex 00) area at the end of 
       COMMAND.COM.  Infected .EXE programs will have a file length increase 
       of 1,870 to 1,884 bytes.  In all cases, the virus will be located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings 
       are visible within the viral code in all Freddy infected programs: 
 
               "$322/vv" 
               "$1VVVVVVVVVVVVVVVVVVVV   COMMAND.COM *.COM" 
 
       Additionally, the following text string is encrypted within the 
       viral code: 
 
               "Freddy Krg" 
 
       It is unknown what Freddy does besides replicate, but it appears 
       to contain destructive code. 
 
       Known variant(s) of Freddy are: 
       Freddy 2.1: A later version of the Freddy virus described above, 
                   this variant becomes memory resident at the top of system 
                   memory but below the 640K DOS boundary, hooking interrupt 
                   21.  Total system and available free memory, as indicated 
                   by the DOS CHKDSK program, will have decreased by 5,120 
                   bytes.  It will also infect COMMAND.COM when it becomes 
                   memory resident if it was not previously infected.  Once 
                   resident, it infects .COM and .EXE programs when they 
                   are executed, as well as infecting one file in the 
                   directory when a DOS DIR command is issued.  Infected 
                   programs increase in size by 2,345 to 2,394 bytes with 
                   the virus being located at the end of the file.  Infected 
                   COMMAND.COM programs will not increase in size, however, 
                   as the virus will overwrite part of the hex 00 characters 
                   at the end of the file.  The file's date and time in the 
                   DOS disk directory will not be altered.  The following 
                   text strings are encrypted within the Freddy 2.1 virus: 
                   "COMMAND.COM *.COM" 
                   "*.EXE" 
                   "Freddy KRueGer 2.1" 
                   Origin:  Brazil  May 1993. 
 
       See:   Jerusalem

Show viruses from discovered during that infect .

Main Page