F-Secure Virus Descriptions : Spanska
Spanska was distributed in several usenet newsgroups in January 1997.
It is a simple direct action infector of COM files.
Spanska activates occasionally, displaying this text:
Remember those who died for Madrid
No Pasaran! Virus (c) Spanska 1996
The text is displayed on a screen which contains an animation of
flames. The text seems to refer to a famous speech given by Dolores
Ibarruri, a Spanish freedom fighter. She said the famous "No Pasaran"
("They shall not pass") phrase in her radio speech in 1936.
This is a later variant, with minor differencies. The displayed text
has been changed to:
Remember those who died for Madrid
No Pasaran! Virus v2 by Spanska 1997
This is another later variant, with minor differencies. The displayed text
has been changed to:
To Carl Sagan, poet and scientist,this little Cosmos.
(Spanska 97)
This variant infects also EXE files. It contains this text:
Mars Land, by Spanska(coding a virus can be creative)
This variant was spread in late April, 1997 in newsgroups. Someone
posted an infected crack file for Kali utility and Eudora mail reader
in KALI-CK.ZIP and EUDR-CK.ZIP to the following newsgroups:
alt.cracks, alt.2600.codez, alt.crackers, alt.2600, alt.2600.crackz,
alt.sex, alt.2600.hackerz, alt.irc and alt.warez.ibm-pc.
Spanska is a good example of a simple virus which could never have
made it in the wild without Internet-wide distribution. Now it is reported
in the wild globally.
Spanska.4250 is one of an increasing number of viruses distributed via
the Internet, in the form of posts to Usenet News.
This virus was found in the wild in September 1997 in USA, Canada and
Belgium. It has been distributed over the internet several times.
Spanska.4250 is a stealth infector of COM and EXE files. When the
virus is resident the file size difference is not visible for the end
user.
The virus is polymorphic, but its polymorphic engine is limited.
However, the virus has several tricks in its decyptor to avoid
detection from most (but not all) of the heuristic analyzers. The main
virus body has an anti-heuristic structure also.
Spanska.4250 does not infect files starting with these two letters:
TB (TBSCAN)
VI (VIRUSAFE)
AV (AVAST, AVP)
NA (NAV)
VS (VSHIELD)
FI (FINDVIRU)
F- (F-PROT)
FV (FINDVIRU)
IV (INVIRCIBLE)
DR (DR SOLOMON?)
SC (SCAN)
GU (GUARD)
CO (COMMAND.COM)
Virus disables it's stealth routine when a file starting with these two
letters is executed:
PK (PKZIP)
AR (ARJ)
RA (RAR)
LH (LHA)
BA (BACKUP)
It does not infect COMMAND.COM and COM files which are smaller than
500 bytes or bigger than 56000 bytes. When executed, Spanska.4250
immediatly infects \WINDOWS\WIN.COM file.
The virus has a bug in its file size check rutine. As a result COM
files which are bigger than 56000 bytes will be infected. If a file
has an COM extension but an EXE structure, Spanska.4250 will infect
the file as a COM file and converts the EXE file to COM file by puting
a JMP instruction to the beginning of the file.
Spanska.4250 activates if an infected file is executed when the
minutes are 30 and the second filed is less or equal than 16. It
displays a moving message, similary to text in the beginning of the
movie Star Wars with one of the following texts:
ELVIRA !
Black and White Girl
from Paris
You make me feel alive.
ELVIRA !
Pars. Reviens. Respire.
Puis repars.
J'aime ton mouvement.
ELVIRA !
Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.
[Analysis: Mikko Hypponen & Peter Szor, F-Secure, 1997]
|
