Andre Virus


 Virus Name:  Andre 
 Aliases:     Andre-0, Andryushka 
 V Status:    Rare 
 Discovery:   July, 1992 
 Symptoms:    .COM & .EXE file growth; decrease in total system & 
              available free memory; boot sector altered 
 Origin:      USSR 
 Eff Length:  3,568 - 3,648 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, Sweep, IBMAV, AVTK, ViruScan, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, AVTK/N, NShld, NProt, IBMAV/N, NAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Andre, or Andryushka, virus was submitted in July, 1992.  It 
       is originally from the USSR.  Andre is a memory resident infector 
       of .COM and .EXE programs.  It does not infect COMMAND.COM.  This 
       is a polymorphic virus, and a simple search string for detection 
       is not possible. 
 
       When the first Andre infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary.  It does not move interrupt 12's 
       return.  Total system and available free memory, as indicated by 
       the DOS CHKDSK program, will have decreased by 8,192 bytes.  It 
       directly hooks interrupts, and memory mapping utilities will not 
       show interrupts mapped to the virus in memory. 
 
       Once the Andre virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed, opened, or when a DOS DIR 
       or Copy command is issued.  It does not infect very small .EXE 
       files, nor .EXE files larger than 64K.  Infected .EXE files will 
       have become .COM files in structure.  Infected programs will have a 
       file length increase of 3,568 to 3,648 bytes with the virus being 
       located at the end of the file.  The program's date and time in 
       the DOS disk directory listing will not be altered.  The following 
       text strings are encrypted within the viral code, and are not 
       visible in infected files: 
 
               "Hello!!!" 
               "My name is Andryushka" 
               "I come from Perm,USSR" 
 
       Symptom's of an Andre infection are that DOS DIR commands may be 
       very sluggish due to the virus infecting a file when a DIR command 
       is issued.  Also, this virus will alter the boot drive's boot 
       sector. 
 
       Known variant(s) of Andre are: 
       Andre-3568: A minor variant of the Andre virus, Andre-3568 
                   adds 3,568 - 3,668 bytes to the .COM and .EXE programs 
                   it infects.  Its size in memory is 7,632 bytes. 
                   It contains the same encrypted text strings as the 
                   original virus. 
                   Origin:  USSR  July, 1992.

Show viruses from discovered during that infect .

Main Page