Threat Description

Spanska

Details

Aliases:Spanska
Category:Malware
Type:Virus
Platform:W32

Summary



Spanska was distributed in several usenet newsgroups in January 1997. It is a simple direct action infector of COM files.Spanska activates occasionally, displaying this text:

Remember those who died for Madrid
  No Pasaran! Virus (c) Spanska 1996

The text is displayed on a screen which contains an animation of flames. The text seems to refer to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. She said the famous "No Pasaran" ("They shall not pass") phrase in her radio speech in 1936.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details




Variant:Spanska.1000

This is a later variant, with minor differencies. The displayed text has been changed to:

Remember those who died for Madrid
  No Pasaran! Virus v2 by Spanska 1997

Variant:Spanska.1120.B

This is another later variant, with minor differencies. The displayed text has been changed to:

To Carl Sagan, poet and scientist,this little Cosmos.
  (Spanska 97)

Variant:Spanska.1500 (Mars Land

Other:Non-Resident, COM/EXE-files

This variant infects also EXE files. It contains this text:

Mars Land, by Spanska(coding a virus can be creative)

This variant was spread in late April, 1997 in newsgroups. Someone posted an infected crack file for Kali utility and Eudora mail reader in KALI-CK.ZIP and EUDR-CK.ZIP to the following newsgroups: alt.cracks, alt.2600.codez, alt.crackers, alt.2600, alt.2600.crackz, alt.sex, alt.2600.hackerz, alt.irc and alt.warez.ibm-pc.Spanska is a good example of a simple virus which could never have made it in the wild without Internet-wide distribution. Now it is reported in the wild globally.


Variant:Spanska.4250 (Spanska_II, Elvira)

Spanska.4250 is one of an increasing number of viruses distributed via the Internet, in the form of posts to Usenet News.This virus was found in the wild in September 1997 in USA, Canada and Belgium. It has been distributed over the internet several times.Spanska.4250 is a stealth infector of COM and EXE files. When the virus is resident the file size difference is not visible for the end user.The virus is polymorphic, but its polymorphic engine is limited. However, the virus has several tricks in its decyptor to avoid detection from most (but not all) of the heuristic analyzers. The main virus body has an anti-heuristic structure also.Spanska.4250 does not infect files starting with these two letters:

TB  (TBSCAN)
  VI  (VIRUSAFE)
  AV  (AVAST, AVP)
  NA  (NAV)
  VS  (VSHIELD)
  FI  (FINDVIRU)
  F-  (F-PROT)
  FV  (FINDVIRU)
  IV  (INVIRCIBLE)
  DR  (DR SOLOMON?)
  SC  (SCAN)
  GU  (GUARD)
  CO  (COMMAND.COM)

Virus disables it's stealth routine when a file starting with these two letters is executed:

PK  (PKZIP)
  AR  (ARJ)
  RA  (RAR)
  LH  (LHA)
  BA  (BACKUP)

It does not infect COMMAND.COM and COM files which are smaller than 500 bytes or bigger than 56000 bytes. When executed, Spanska.4250 immediatly infects \WINDOWS\WIN.COM file.The virus has a bug in its file size check rutine. As a result COM files which are bigger than 56000 bytes will be infected. If a file has an COM extension but an EXE structure, Spanska.4250 will infect the file as a COM file and converts the EXE file to COM file by puting a JMP instruction to the beginning of the file.Spanska.4250 activates if an infected file is executed when the minutes are 30 and the second filed is less or equal than 16. It displays a moving message, similary to text in the beginning of the movie Star Wars with one of the following texts:

 ELVIRA !
 Black and White Girl
  from Paris
You make me feel alive.
ELVIRA !
Pars. Reviens. Respire.
 Puis repars.
J'aime ton mouvement.
ELVIRA !
Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.




Technical Details: Mikko Hypponen & Peter Szor, F-Secure, 1997


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More