Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

July 11th, 2009

Inside Win32:Andras

Win32:Andras is simple file infector, that looks for exe files and adds its body to the last section. The entry point is a bit obfuscated, but the code flow is well understandable.


The decryprion goes through a simple loop (with constant key), which is bloated with some garbage instructions. The direction of decryption is backwards from the virus entry.


On the picture above we can see some imported functions specific for file infectors. Another part of the decrypted virus body is shown on the next screen.


The list of file names is used to find some important files, which should be discarded to prevent the detection of Andras. The virus also carries a partial transparency of its behavior by leaving some chosen AV binaries untouched (it matches two letters from the file name to some known file names used by AV vendors). The signature of the virus author is placed right to the beginning of virus body.


The virus is well covered by AV engines

Categories: analyses, Virus Lab Tags:

    for some reason, when i want to put ” émoticons”” it freezes and I have to start over again from the stars button.

  • Carlos

    Tengo Avast! y no he tenido ningun problema con mi ordenador. pues no espero tenerlo. felicitaciones por su gran equipo y antivirus.

  • Laurene

    I’m using Mozilla Firefox and getting screen freezes and systems crashes like never before! What’s going on & what can I do to solve this? I’m not very tech-savvy. Help!!!

  • Michal Krejdl

    Please, try to stay on topic.

  • sutanto

    saya puas dengan AVAST – selalu update, termasuk mengeliminasi Win32:Andras. Terima kasih AVAST.

  • evelyn

    instale avast en mi compu y me ha servido mas que otros antivirus que ya he probado es muy bueno como antivirus.felicitacions por el antivirus.

  • arunraj essar

    install registry mechanic@Laurene