Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Spanska


Aliases:


Spanska

Malware
Virus
W32

Summary

Spanska was distributed in several usenet newsgroups in January 1997. It is a simple direct action infector of COM files.Spanska activates occasionally, displaying this text:

Remember those who died for Madrid
        No Pasaran! Virus (c) Spanska 1996

The text is displayed on a screen which contains an animation of flames. The text seems to refer to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. She said the famous "No Pasaran" ("They shall not pass") phrase in her radio speech in 1936.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details


Variant:Spanska.1000

This is a later variant, with minor differencies. The displayed text has been changed to:

Remember those who died for Madrid
        No Pasaran! Virus v2 by Spanska 1997


Variant:Spanska.1120.B

This is another later variant, with minor differencies. The displayed text has been changed to:

To Carl Sagan, poet and scientist,this little Cosmos.
        (Spanska 97)


Variant:Spanska.1500 (Mars Land

Other:Non-Resident, COM/EXE-files

This variant infects also EXE files. It contains this text:

   Mars Land, by Spanska(coding a virus can be creative)

This variant was spread in late April, 1997 in newsgroups. Someone posted an infected crack file for Kali utility and Eudora mail reader in KALI-CK.ZIP and EUDR-CK.ZIP to the following newsgroups: alt.cracks, alt.2600.codez, alt.crackers, alt.2600, alt.2600.crackz, alt.sex, alt.2600.hackerz, alt.irc and alt.warez.ibm-pc.Spanska is a good example of a simple virus which could never have made it in the wild without Internet-wide distribution. Now it is reported in the wild globally.


Variant:Spanska.4250 (Spanska_II, Elvira)

Spanska.4250 is one of an increasing number of viruses distributed via the Internet, in the form of posts to Usenet News.This virus was found in the wild in September 1997 in USA, Canada and Belgium. It has been distributed over the internet several times.Spanska.4250 is a stealth infector of COM and EXE files. When the virus is resident the file size difference is not visible for the end user.The virus is polymorphic, but its polymorphic engine is limited. However, the virus has several tricks in its decyptor to avoid detection from most (but not all) of the heuristic analyzers. The main virus body has an anti-heuristic structure also.Spanska.4250 does not infect files starting with these two letters:

TB  (TBSCAN)
  VI  (VIRUSAFE)
  AV  (AVAST, AVP)
  NA  (NAV)
  VS  (VSHIELD)
  FI  (FINDVIRU)
  F-  (F-PROT)
  FV  (FINDVIRU)
  IV  (INVIRCIBLE)
  DR  (DR SOLOMON?)
  SC  (SCAN)
  GU  (GUARD)
  CO  (COMMAND.COM)

Virus disables it's stealth routine when a file starting with these two letters is executed:

PK  (PKZIP)
  AR  (ARJ)
  RA  (RAR)
  LH  (LHA)
  BA  (BACKUP)

It does not infect COMMAND.COM and COM files which are smaller than 500 bytes or bigger than 56000 bytes. When executed, Spanska.4250 immediatly infects \WINDOWS\WIN.COM file.The virus has a bug in its file size check rutine. As a result COM files which are bigger than 56000 bytes will be infected. If a file has an COM extension but an EXE structure, Spanska.4250 will infect the file as a COM file and converts the EXE file to COM file by puting a JMP instruction to the beginning of the file.Spanska.4250 activates if an infected file is executed when the minutes are 30 and the second filed is less or equal than 16. It displays a moving message, similary to text in the beginning of the movie Star Wars with one of the following texts:

 ELVIRA !
          Black and White Girl
  from Paris
         You make me feel alive.
   ELVIRA !
         Pars. Reviens. Respire.
 Puis repars.
         J'aime ton mouvement.
   ELVIRA !
         Bruja con ojos verdes
         Eres un grito de vida,
         un canto de libertad.





Technical Details: Mikko Hypponen & Peter Szor, F-Secure, 1997



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.