Details
Astra Family

Astra.498,510,521
These are not dangerous memory resident parasitic viruses. They move themselves into Interrupt Vectors Table at the address 0020:XXXX, hook INT 21h and infect SYS-files of the current directory on every call to DOS function FindFirst. The viruses write themselves at the file end, in which they modify only interrupt subroutine address.
The viruses of this family contain the text “(5)” and depending of the virus version one of the following strings:
(C) AsTrA,1990,JPN
(C) AsTrA,1990
(C) AsTrA,JPN
(C) AsTrA, 1991

The infectors display one of the messages:
I like cold flavour !
I like fragrant smell of flower!
I like a flower’s smell!

“Astra.7821″ displays a picture in graphic video mode.
Astra_II viruses
These are dangerous memory resident encrypted parasitic viruses. On execution they search for not infected files and hit them, hook INT 21h and stay memory resident. Then these viruses infect the files are executed. “Astra_II.505,882,976″ hit COM-files only, other “Astra_II” viruses hit both COM- and EXE-files, “Astra_II.1556″ hits COM-, EXE- and SYS-files.
In depending of system timer they encrypt (XOR 55h) Disk Partition Table of hard drive’s MBR, then some of them change video font table. They contain the internal strings:
“Astra_II.505″: (C) AsTrA, 1991 (1)
“Astra_II.882,976″: (C) AsTrA, 1991 (2)
“Astra_II.927″: (C) AsTrA, 1991 Child’s Play (3)
“Astra_II.1010″: (C) AsTrA, 1992 (3)
“Astra_II.1556″: Child’s Play (C) AsTrA
4D *.COM *.EXE *.SYS (4)

Related Posts

This entry was posted on Sunday, July 2nd, 2006 at 6:00 pm and is filed under Virus Threats.