Details
Win32.Andras

This is a direct action (non-memory resident) parasitic polymorphic Win32 virus. It searches for PE EXE files with .EXE and .SCR extensions in a current directory, then in Windows, Windows system directories, then in all subdirectories on all available local drives, and infects them. While infecting, the virus writes itself to the end of the file. The file searching and infection goes on in the background, so an infected application run doesn’t slow down too much.
The virus checks file names and does not infect the following files:
AP*, PA*, F-*, AV*, SC*, VS*, IV*, DR*.
The virus corrupts the following anti-virus data files:
ANTI-VIR.DAT CHKLIST.MS CHKLIST.DAT CHKLIST.TAV CHKLIST.CPS AVP.CRC IVB.NTZ SMARTCHK.MS SMARTCHK.CPS
Starting from 2001 on the second of each month, the virus randomly increases the size of randomly selected files. File size is increased up to 1Mb.
The virus contains the “copyright” string:
*ANDRAS* by Pointer=&Hell

Related Posts

This entry was posted on Saturday, June 28th, 2008 at 7:50 am and is filed under Virus Threats.