Virus Name: Freddy
V Status: Rare
Discovered: December, 1992
Symptoms: .COM & .EXE file growth; TSR
Eff Length: 1,870 - 1,884 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, IBMAV, ViruScan, Sweep, NAVDX,
NAV, VAlert, PCScan, ChAV,
Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N,
Removal Instructions: Delete infected files
The Freddy virus was received in December, 1992 and is originally
from Brazil. Freddy is a memory resident infector of .COM, .EXE,
and overlay files. It will also infect COMMAND.COM. It is based
on the Jerusalem virus, and some anti-viral programs may identify
it as such.
When the first Freddy infected program is executed, the Freddy
virus will install itself memory resident as a low system memory
TSR of 2,912 bytes, hooking interrupt 21. It will also infect
one .COM program in the current directory at this time.
Once the Freddy virus is memory resident, it will infect any
program executed by the user, plus one additional .COM program
located in the current directory. Infected .COM programs, other
than COMMAND.COM, will have a file length increase of 1,870 bytes.
COMMAND.COM will increase in size by a much smaller amount as the
virus will overwrite some of the slack (hex 00) area at the end of
COMMAND.COM. Infected .EXE programs will have a file length increase
of 1,870 to 1,884 bytes. In all cases, the virus will be located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are visible within the viral code in all Freddy infected programs:
"$1VVVVVVVVVVVVVVVVVVVV COMMAND.COM *.COM"
Additionally, the following text string is encrypted within the
It is unknown what Freddy does besides replicate, but it appears
to contain destructive code.
Known variant(s) of Freddy are:
Freddy 2.1: A later version of the Freddy virus described above,
this variant becomes memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt
21. Total system and available free memory, as indicated
by the DOS CHKDSK program, will have decreased by 5,120
bytes. It will also infect COMMAND.COM when it becomes
memory resident if it was not previously infected. Once
resident, it infects .COM and .EXE programs when they
are executed, as well as infecting one file in the
directory when a DOS DIR command is issued. Infected
programs increase in size by 2,345 to 2,394 bytes with
the virus being located at the end of the file. Infected
COMMAND.COM programs will not increase in size, however,
as the virus will overwrite part of the hex 00 characters
at the end of the file. The file's date and time in the
DOS disk directory will not be altered. The following
text strings are encrypted within the Freddy 2.1 virus:
"Freddy KRueGer 2.1"
Origin: Brazil May 1993.