Michal Krejdl

11 July 2009

Inside Win32:Andras

Win32:Andras is simple file infector, that looks for exe files and adds its body to the last section. The entry point is a bit obfuscated, but the code flow is well understandable.


The decryprion goes through a simple loop (with constant key), which is bloated with some garbage instructions. The direction of decryption is backwards from the virus entry.


On the picture above we can see some imported functions specific for file infectors. Another part of the decrypted virus body is shown on the next screen.


The list of file names is used to find some important files, which should be discarded to prevent the detection of Andras. The virus also carries a partial transparency of its behavior by leaving some chosen AV binaries untouched (it matches two letters from the file name to some known file names used by AV vendors). The signature of the virus author is placed right to the beginning of virus body.


The virus is well covered by AV engines http://www.virustotal.com/en/analisis/afc2b22fa6444ee16b47ed4dd9d202aa

Threat Research