Finnish Sprayer was found in Finland in November 1993, and it
quickly became very widespread in the southern parts of Finland.
The virus will only infect hard drives when an attempt to boot
from an infected diskette is made. Once the virus has infected
the hard drive, all non-protected floppies used in the machine
will be infected. The virus contains the following unencrypted
text: "Tks to B.B, Z-VirX ..... [Aija]".
Finnish Sprayer is two sectors long, and it stores the original
boot sector and it's own code to the last sectors of the active
partition.
The virus activates on the 25th of March. At this date it will
overwrite most sectors of the active partition with random data,
change the screen background to grey, and display the following
text:
FINNISH_SPRAYER.1. Send your painting +358-0-xxxxxxx (FAX), [Aija]
This text is not visible in the virus code, since it has been
encrypted with a XOR 50h operation.
Finnish Sprayer will not infect the hard disk if the active
partitions file system is not DOS. This means that PC's running
for example OS/2, DR-DOS with HD password protection, Windows NT
or some UNIX variant will not be infected.
Virus uses stealth routines, so it cannot be found from hard
disks MBR when it is active in memory. F-Secure anti-virus
products will detect if Finnish Sprayer is resident, and will advise
you to boot from a clean diskette.
[Analysis: Mikko Hypponen, F-Secure]
![](/images/pixel.gif"){kind=tracking}
