Astra Virus


 Virus Name:  Astra  
 Aliases:     Astra-976 
 V Status:    Rare 
 Discovery:   July, 1992 
 Symptoms:    .COM file growth; data files truncated; decrease in total 
              system & available free memory 
 Origin:      USSR 
 Eff Length:  976 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  Sweep, ViruScan, F-Prot, AVTK, IBMAV, NAVDX, 
                    NAV, VAlert, PCScan, ChAV, 
                    Sweep/N, AVTK/N, IBMAV/N, NShld, NAV/N 
 Removal Instructions:  Delete infected programs 
 
 General Comments: 
       The Astra, or Astra-976, virus was submitted in July, 1992.  It is 
       reported to be from the USSR.  Astra is a memory resident infector 
       of .COM programs, including COMMAND.COM. 
 
       When the first Astra infected program is executed, the Astra virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary.  Interrupt 12's return will not be 
       moved.  Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 1,056 bytes.  Interrupt 
       21 will be hooked by Astra in memory. 
 
       Once the Astra virus is memory resident, it will infect .COM 
       programs when they are executed.  If COMMAND.COM is executed, it 
       will become infected.  Programs infected with the Astra virus will 
       have a file length increase of 976 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following text 
       strings are encrypted within the Astra viral code, and are not 
       visible within infected files: 
 
               "(C) AsTrA,  1991" 
               "*.COM *.EXE" 
 
       The text string "(2)" can be found near the end of all Astra infected 
       programs. 
 
       A symptom of an Astra infection is that data files which are opened 
       with read/write intent may be truncated by approximately 700 bytes, 
       slowly corrupting the user's data files. 
 
       Known variant(s) of Astra are: 
       Astra-498: Received in August, 1992, Astra-498 is a 498 byte 
                  variant of the Astra virus which only infects .SYS 
                  programs.  It becomes memory resident the first time 
                  an infected device driver is loaded from the system's 
                  CONFIG.SYS file on boot.  Once resident, it will infect 
                  .SYS programs when their directory entry is accessed, 
                  or when they are executed.  Infected system files will 
                  increase in size by 498 - 513 bytes with the first 
                  infection of the file, and 498 bytes with each 
                  reinfection.  The virus is located at the end of the 
                  infected file.  The program's date and time in the DOS 
                  disk directory listing will have been updated to the 
                  current system date and time.  The following text 
                  strings can be found in all infected programs: 
                  "I like a flower's smell!" 
                  "(C) AsTrA,JPN" 
                  "(5)" 
                  Origin:  USSR  August, 1992. 
       Astra-510: Received in August, 1992, Astra-510 is a 510 byte 
                  variant of the Astra virus and is similar to Astra-498. 
                  It adds 510 to 525 bytes to the .SYS files it infects 
                  with the first infection, and 510 bytes with each 
                  reinfection.  It contains the text strings: 
                  "I like cold flavour!" 
                  "(C) AsTrA,1990,JPN" 
                  "(5)" 
                  Origin:  USSR  August, 1992. 
       Astra-521: Similar to Astra-498 and Astra-510, this variant 
                  adds 521 to 536 bytes to the .SYS files it infects with 
                  the first infection, and 521 bytes with each reinfection. 
                  It contains the text strings: 
                  "I like fragrant smell of flower!" 
                  "(C)AsTrA,1990" 
                  "(5)" 
                  Origin:  USSR  August, 1992. 
       Astra-1010: Also received in July, 1992, Astra-1010 is a 1,010 
                   byte variant of the Astra virus described above.  Its 
                   size in memory is 1,072 bytes, hooking interrupt 21. 
                   It adds 1,010 bytes to the .COM programs it infects. 
                   The encrypted text strings found in the original virus 
                   are present in this variant.  The "(2)" located near 
                   the end of programs infected with the Astra virus has 
                   been changed to "(3)".  This variant does not truncate 
                   data files. 
                   Origin:  USSR  July, 1992. 
       Astra-1556: Received in July, 1994, Astra.1556 is a 1,556 byte 
                   variant of the Astra virus described above.  Its size in 
                   memory is 1,616 bytes, hooking interrupt 21.  It infects 
                   all of the .COM files in the current directory when the 
                   first infected program is executed, and .EXE programs when 
                   the are executed.  It adds 1,556 bytes to the files it 
                   infects.  The following text string is visible within the 
                   viral code in all infected programs: 
                   "Child's Play" 
                   The following additional text strings are encrypted within 
                   the viral code: 
                   "(C) AsTrAP" 
                   "*.COM *.EXE *.SYS" 
                   Execution of infected .COM programs may result in a system 
                   hang. 
                   Origin:  Unknown  July, 1994.

Show viruses from discovered during that infect .

Main Page