Details Andryushka.3536 These are very dangerous memory-resident polymorphic viruses. They affect COM- and EXE-files (excluding COMMAND.COM) whenever an infected file is started (search in directories). “Andryushka” also infect files from its TSR-copy (when the files are opened, run, renamed and so on). After getting infection from virus “Andryushka.3536” EXE-files are changed to COM-format (see the “VACSINA” viruses). The virus penetrates into the middle of a file. The part of the infected file where the virus has been written to is encrypted and placed at the end of the infected file. The virus creates counters in the Boot-sectors of disks and depending on the counters values may corrupt some sectors on the disk C:. On doing this the virus plays a tune and displays the following text: +———————–+ ƒ Hello!!! ƒ ƒ My name is Andryushka ƒ ƒ I come from Perm,USSR ƒ +———————–+ The virus also contains the text: “insufficient memory”. “Andryushka” works with interrupt handlers fairly well: it saves a part of the INT 25h handler in its own body and writes its code (call to INT 21h) into the emptied place. When INT 25h is called its handler is restored.

Leave a Reply

Your email address will not be published. Required fields are marked *