Spanska was distributed in several usenet newsgroups in January 1997. It is a simple direct action infector of COM files.Spanska activates occasionally, displaying this text:
Remember those who died for Madrid No Pasaran! Virus (c) Spanska 1996
The text is displayed on a screen which contains an animation of flames. The text seems to refer to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. She said the famous "No Pasaran" ("They shall not pass") phrase in her radio speech in 1936.
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
This is a later variant, with minor differencies. The displayed text has been changed to:
Remember those who died for Madrid No Pasaran! Virus v2 by Spanska 1997
This is another later variant, with minor differencies. The displayed text has been changed to:
To Carl Sagan, poet and scientist,this little Cosmos. (Spanska 97)
Variant:Spanska.1500 (Mars Land
This variant infects also EXE files. It contains this text:
Mars Land, by Spanska(coding a virus can be creative)
This variant was spread in late April, 1997 in newsgroups. Someone posted an infected crack file for Kali utility and Eudora mail reader in KALI-CK.ZIP and EUDR-CK.ZIP to the following newsgroups: alt.cracks, alt.2600.codez, alt.crackers, alt.2600, alt.2600.crackz, alt.sex, alt.2600.hackerz, alt.irc and alt.warez.ibm-pc.Spanska is a good example of a simple virus which could never have made it in the wild without Internet-wide distribution. Now it is reported in the wild globally.
Variant:Spanska.4250 (Spanska_II, Elvira)
Spanska.4250 is one of an increasing number of viruses distributed via the Internet, in the form of posts to Usenet News.This virus was found in the wild in September 1997 in USA, Canada and Belgium. It has been distributed over the internet several times.Spanska.4250 is a stealth infector of COM and EXE files. When the virus is resident the file size difference is not visible for the end user.The virus is polymorphic, but its polymorphic engine is limited. However, the virus has several tricks in its decyptor to avoid detection from most (but not all) of the heuristic analyzers. The main virus body has an anti-heuristic structure also.Spanska.4250 does not infect files starting with these two letters:
TB (TBSCAN) VI (VIRUSAFE) AV (AVAST, AVP) NA (NAV) VS (VSHIELD) FI (FINDVIRU) F- (F-PROT) FV (FINDVIRU) IV (INVIRCIBLE) DR (DR SOLOMON?) SC (SCAN) GU (GUARD) CO (COMMAND.COM)
Virus disables it's stealth routine when a file starting with these two letters is executed:
PK (PKZIP) AR (ARJ) RA (RAR) LH (LHA) BA (BACKUP)
It does not infect COMMAND.COM and COM files which are smaller than 500 bytes or bigger than 56000 bytes. When executed, Spanska.4250 immediatly infects \WINDOWS\WIN.COM file.The virus has a bug in its file size check rutine. As a result COM files which are bigger than 56000 bytes will be infected. If a file has an COM extension but an EXE structure, Spanska.4250 will infect the file as a COM file and converts the EXE file to COM file by puting a JMP instruction to the beginning of the file.Spanska.4250 activates if an infected file is executed when the minutes are 30 and the second filed is less or equal than 16. It displays a moving message, similary to text in the beginning of the movie Star Wars with one of the following texts:
ELVIRA ! Black and White Girl from Paris You make me feel alive. ELVIRA ! Pars. Reviens. Respire. Puis repars. J'aime ton mouvement. ELVIRA ! Bruja con ojos verdes Eres un grito de vida, un canto de libertad.
Technical Details: Mikko Hypponen & Peter Szor, F-Secure, 1997