Details Andromeda These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM (except COMMAND.COM) and EXE files. In some cases they erase the disk sectors. The viruses contain the text strings: “ANDROMEDA.758”: [ANDROMEDA V1.1] BUDAPEST HUNGARY “ANDROMEDA.800”: ANDROMEDA*ICE*BUDAPEST “ANDROMEDA.1024.a”: AXE “ANDROMEDA.1024.b”: ANDROMEDA V3.0 BUDAPEST (Szegedi Imrének: Ha mi nem lennénk, miböl élnél?) “ANDROMEDA.1024.c”: ANDROMEDA V3.0 “ANDROMEDA.1536.a”: ROF OKI OOT CAN AND RBOGEMAND “ANDROMEDA.1536.b”: ROF OKI OOT CAN AND RBO GEM ANDROMEDA V3.2 HUNGARY “Plus.1337”: ANDROMEDA/plus BUDAPEST 1991 ANDROMEDA.725,758 These viruses write themselves to the end of .COM files. They search for the files to infect them when any program is executed. While infecting, these viruses uses FCB Read/Write functions. “ANDROMEDA.725” also hooks INT 9. Some time after installation it reboots the computer. On October, 5th “ANDROMEDA.758” erases the FAT of the A: drive. ANDROMEDA.800 Depending on the system date it hooks INT 1Ch. Some time after it displays random data and halts the PC. ANDROMEDA.1024.a It also hooks INT 09h. On execution of any file this virus searches for the first .EXE file of the current directory and writes itself to the end of the file. Depending on its internal counter this virus reboots the computer. ANDROMEDA.1536.a,b Sometimes they also hook INT 9h and some time after that reboot the computer. They contain the code of the disk erasing routine, but that routine never receives the control in “ANDROMEDA.1536.b”. ANDROMEDA.Plus It also hooks INT 13h and while reading from disk boot sectors and the MBR of the hard drive puts the image of boot virus “Stoned” to the data buffer . As result: 1) Anti-virus scanners detect this virus on disks, but fail to disinfect it, because there is no “Stoned” virus in real. 2) The backup copies will contain infected disk images, and while restoring a disk from backup the virus will be placed to real disk sector. 3) While copying “sector-to-sector” (by DISKCOPY, for example) the virus will infect the destination disk.

Leave a Reply

Your email address will not be published. Required fields are marked *