Andromeda 1.1 Virus


 Virus Name:  Andromeda 1.1 
 Aliases:     Andromeda.758 
 V Status:    Rare 
 Discovery:   June, 1993 
 Symptoms:    .COM file growth; 
              decrease in total system and available free memory 
 Origin:      Hungary 
 Eff Length:  758 Bytes 
 Type Code:   PRhC - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, NAV, NAVDX, VAlert, 
                    IBMAV, PCScan, ChAV, 
                    NShld, Sweep/N, AVTK/N, NProt, Innoc, NAV/N, LProt, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Andromeda 1.1 virus was received from Hungary in June, 1993. 
       Andromeda 1.1 is a memory resident infector of .COM programs, but 
       not COMMAND.COM.  An earlier version of this virus, Andromeda 1.0, 
       is listed separately as it has different basic characteristics. 
 
       When the first Andromeda 1.1 infected program is executed, this 
       virus will infect one .COM program located in the current directory, 
       as well as install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 1,136 bytes.  Interrupt 21 will be hooked by Andromeda 
       1.1 in memory.  Interrupt 12's return will not be moved. 
 
       Once memory resident, the Andromeda 1.1 virus will infect .COM 
       programs when they are executed.  Additionally, if a previously 
       infected program is executed, an uninfected .COM file in the 
       current directory will be infected by direct action of the virus. 
 
       Programs infected with Andromeda 1.1 will have a file length increase 
       of 758 bytes with the virus being located at the end of the file. 
       The program's date and time in the DOS disk directory listing will 
       not be altered.  The following text strings are visible within the 
       viral code in all Andromeda 1.1 infected programs: 
 
               "[ANDROMEDA V1.1] BUDAPEST HUNGARY" 
               "????????COM" 
 
       It is unknown what Andromeda 1.1 does besides replicate. 
 
       Known variant(s) of Andromeda 1.1 are: 
       Andromeda.1024: Received in July, 1995, this is a 1,024 byte 
           variant of Andromeda 1.1.  It becomes memory resident at the 
           top of system memory but below the 640K DOS boundary, hooking 
           interrupt 21.  Available free memory, as indicated by the DOS 
           CHKDSK program from DOS 5.0, will have decreased by 1,328 bytes. 
           Once resident, it will infect .COM and .EXE files, but not 
           COMMAND.COM, when they are executed.  Infected .COM files will 
           have a file length increase of 1,024 bytes while .EXE file will 
           have increased in size by 1,024 to 1,038 bytes.  In both cases, 
           the virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not be 
           altered.  The following text string is visible within the 
           viral code in all infected programs: 
           "ANDROMEDA V3.0 BUDAPEST (Szegedi Imr‚nek: Ha mi nem lenn‚nk, 
            mib”l ‚ln‚l?)" 
           Origin:  Hungary  July, 1995. 
       Andromeda.1024.C: Received in July, 1995, this variant is 
           similar to Andromeda.1024.  The text string visible within the 
           viral code has been changed to: 
           "ANDROMEDA V3.0" 
           Origin:  Hungary  July, 1995. 
       Andromeda.1536: Received in July, 1995, this is a 1,536 byte 
           variant of Andromeda 1.1.  It becomes memory resident at the 
           top of system memory but below the 640K DOS boundary, hooking 
           interrupt 21.  Available free memory, as indicated by the DOS 
           CHKDSK program from DOS 5.0, will have decreased by 2,000 bytes. 
           Once resident, it will infect .COM and .EXE files, but not 
           COMMAND.COM, when they are executed.  Infected .COM files will 
           have a file length increase of 1,536 bytes while .EXE file will 
           have increased in size by 1,536 to 1,550 bytes.  In both cases, 
           the virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not be 
           altered.  The following text strings are visible within the 
           viral code in all infected programs: 
           "RBO      GEM" 
           "ANDROMEDA V3.2" 
           "  HUNGARY  " 
           Origin:  Hungary  July, 1995. 
       See:   Andromeda 1.0 

Show viruses from discovered during that infect .

Main Page