Andromeda 1.1 Virus
Virus Name: Andromeda 1.1
Aliases: Andromeda.758
V Status: Rare
Discovery: June, 1993
Symptoms: .COM file growth;
decrease in total system and available free memory
Origin: Hungary
Eff Length: 758 Bytes
Type Code: PRhC - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV, NAVDX, VAlert,
IBMAV, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, NProt, Innoc, NAV/N, LProt,
IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Andromeda 1.1 virus was received from Hungary in June, 1993.
Andromeda 1.1 is a memory resident infector of .COM programs, but
not COMMAND.COM. An earlier version of this virus, Andromeda 1.0,
is listed separately as it has different basic characteristics.
When the first Andromeda 1.1 infected program is executed, this
virus will infect one .COM program located in the current directory,
as well as install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 1,136 bytes. Interrupt 21 will be hooked by Andromeda
1.1 in memory. Interrupt 12's return will not be moved.
Once memory resident, the Andromeda 1.1 virus will infect .COM
programs when they are executed. Additionally, if a previously
infected program is executed, an uninfected .COM file in the
current directory will be infected by direct action of the virus.
Programs infected with Andromeda 1.1 will have a file length increase
of 758 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing will
not be altered. The following text strings are visible within the
viral code in all Andromeda 1.1 infected programs:
"[ANDROMEDA V1.1] BUDAPEST HUNGARY"
"????????COM"
It is unknown what Andromeda 1.1 does besides replicate.
Known variant(s) of Andromeda 1.1 are:
Andromeda.1024: Received in July, 1995, this is a 1,024 byte
variant of Andromeda 1.1. It becomes memory resident at the
top of system memory but below the 640K DOS boundary, hooking
interrupt 21. Available free memory, as indicated by the DOS
CHKDSK program from DOS 5.0, will have decreased by 1,328 bytes.
Once resident, it will infect .COM and .EXE files, but not
COMMAND.COM, when they are executed. Infected .COM files will
have a file length increase of 1,024 bytes while .EXE file will
have increased in size by 1,024 to 1,038 bytes. In both cases,
the virus will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text string is visible within the
viral code in all infected programs:
"ANDROMEDA V3.0 BUDAPEST (Szegedi Imr‚nek: Ha mi nem lenn‚nk,
mib”l ‚ln‚l?)"
Origin: Hungary July, 1995.
Andromeda.1024.C: Received in July, 1995, this variant is
similar to Andromeda.1024. The text string visible within the
viral code has been changed to:
"ANDROMEDA V3.0"
Origin: Hungary July, 1995.
Andromeda.1536: Received in July, 1995, this is a 1,536 byte
variant of Andromeda 1.1. It becomes memory resident at the
top of system memory but below the 640K DOS boundary, hooking
interrupt 21. Available free memory, as indicated by the DOS
CHKDSK program from DOS 5.0, will have decreased by 2,000 bytes.
Once resident, it will infect .COM and .EXE files, but not
COMMAND.COM, when they are executed. Infected .COM files will
have a file length increase of 1,536 bytes while .EXE file will
have increased in size by 1,536 to 1,550 bytes. In both cases,
the virus will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text strings are visible within the
viral code in all infected programs:
"RBO GEM"
"ANDROMEDA V3.2"
" HUNGARY "
Origin: Hungary July, 1995.
See: Andromeda 1.0