Michal Krejdl

11 July 2009

Inside Win32:Andras

Win32:Andras is simple file infector, that looks for exe files and adds its body to the last section. The entry point is a bit obfuscated, but the code flow is well understandable.

andr_stg0

The decryprion goes through a simple loop (with constant key), which is bloated with some garbage instructions. The direction of decryption is backwards from the virus entry.

andr_stg1

On the picture above we can see some imported functions specific for file infectors. Another part of the decrypted virus body is shown on the next screen.

andr_stg2

The list of file names is used to find some important files, which should be discarded to prevent the detection of Andras. The virus also carries a partial transparency of its behavior by leaving some chosen AV binaries untouched (it matches two letters from the file name to some known file names used by AV vendors). The signature of the virus author is placed right to the beginning of virus body.

andr_stg3

The virus is well covered by AV engines http://www.virustotal.com/en/analisis/afc2b22fa6444ee16b47ed4dd9d202aa

Threat Research