Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

July 11th, 2009

Inside Win32:Andras

Win32:Andras is simple file infector, that looks for exe files and adds its body to the last section. The entry point is a bit obfuscated, but the code flow is well understandable.

andr_stg0

The decryprion goes through a simple loop (with constant key), which is bloated with some garbage instructions. The direction of decryption is backwards from the virus entry.

andr_stg1

On the picture above we can see some imported functions specific for file infectors. Another part of the decrypted virus body is shown on the next screen.

andr_stg2

The list of file names is used to find some important files, which should be discarded to prevent the detection of Andras. The virus also carries a partial transparency of its behavior by leaving some chosen AV binaries untouched (it matches two letters from the file name to some known file names used by AV vendors). The signature of the virus author is placed right to the beginning of virus body.

andr_stg3

The virus is well covered by AV engines http://www.virustotal.com/en/analisis/afc2b22fa6444ee16b47ed4dd9d202aa

Categories: analyses, Virus Lab Tags:
  1. FRANCE CLOUTER
    July 23rd, 2009 at 00:04 | #1

    for some reason, when i want to put ” émoticons”” it freezes and I have to start over again from the stars button.

  2. Carlos
    July 23rd, 2009 at 01:41 | #2

    Tengo Avast! y no he tenido ningun problema con mi ordenador. pues no espero tenerlo. felicitaciones por su gran equipo y antivirus.

  3. Laurene
    July 23rd, 2009 at 07:35 | #3

    I’m using Mozilla Firefox and getting screen freezes and systems crashes like never before! What’s going on & what can I do to solve this? I’m not very tech-savvy. Help!!!

  4. July 23rd, 2009 at 09:14 | #4

    Please, try to stay on topic.

  5. sutanto
    July 23rd, 2009 at 15:27 | #5

    saya puas dengan AVAST – selalu update, termasuk mengeliminasi Win32:Andras. Terima kasih AVAST.

  6. evelyn
    July 23rd, 2009 at 17:01 | #6

    instale avast en mi compu y me ha servido mas que otros antivirus que ya he probado es muy bueno como antivirus.felicitacions por el antivirus.

  7. arunraj essar
    July 24th, 2009 at 16:46 | #7

    install registry mechanic@Laurene

Comments are closed.