Spanska
Summary
Spanska was distributed in several usenet newsgroups in January 1997. It is a simple direct action infector of COM files.Spanska activates occasionally, displaying this text:
Remember those who died for Madrid No Pasaran! Virus (c) Spanska 1996
The text is displayed on a screen which contains an animation of flames. The text seems to refer to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. She said the famous "No Pasaran" ("They shall not pass") phrase in her radio speech in 1936.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:Spanska.1000
This is a later variant, with minor differencies. The displayed text has been changed to:
Remember those who died for Madrid No Pasaran! Virus v2 by Spanska 1997
Variant:Spanska.1120.B
This is another later variant, with minor differencies. The displayed text has been changed to:
To Carl Sagan, poet and scientist,this little Cosmos. (Spanska 97)
Variant:Spanska.1500 (Mars Land
Other:Non-Resident, COM/EXE-files
This variant infects also EXE files. It contains this text:
Mars Land, by Spanska(coding a virus can be creative)
This variant was spread in late April, 1997 in newsgroups. Someone posted an infected crack file for Kali utility and Eudora mail reader in KALI-CK.ZIP and EUDR-CK.ZIP to the following newsgroups: alt.cracks, alt.2600.codez, alt.crackers, alt.2600, alt.2600.crackz, alt.sex, alt.2600.hackerz, alt.irc and alt.warez.ibm-pc.Spanska is a good example of a simple virus which could never have made it in the wild without Internet-wide distribution. Now it is reported in the wild globally.
Variant:Spanska.4250 (Spanska_II, Elvira)
Spanska.4250 is one of an increasing number of viruses distributed via the Internet, in the form of posts to Usenet News.This virus was found in the wild in September 1997 in USA, Canada and Belgiëum. It has been distributed over the internet several times.Spanska.4250 is a stealth infector of COM and EXE files. When the virus is resident the file size difference is not visible for the end user.The virus is polymorphic, but its polymorphic engine is limited. However, the virus has several tricks in its decyptor to avoid detection from most (but not all) of the heuristic analyzers. The main virus body has an anti-heuristic structure also.Spanska.4250 does not infect files starting with these two letters:
TB (TBSCAN) VI (VIRUSAFE) AV (AVAST, AVP) NA (NAV) VS (VSHIELD) FI (FINDVIRU) F- (F-PROT) FV (FINDVIRU) IV (INVIRCIBLE) DR (DR SOLOMON?) SC (SCAN) GU (GUARD) CO (COMMAND.COM)
Virus disables it's stealth routine when a file starting with these two letters is executed:
PK (PKZIP) AR (ARJ) RA (RAR) LH (LHA) BA (BACKUP)
It does not infect COMMAND.COM and COM files which are smaller than 500 bytes or bigger than 56000 bytes. When executed, Spanska.4250 immediatly infects \WINDOWS\WIN.COM file.The virus has a bug in its file size check rutine. As a result COM files which are bigger than 56000 bytes will be infected. If a file has an COM extension but an EXE structure, Spanska.4250 will infect the file as a COM file and converts the EXE file to COM file by puting a JMP instruction to the beginning of the file.Spanska.4250 activates if an infected file is executed when the minutes are 30 and the second filed is less or equal than 16. It displays a moving message, similary to text in the beginning of the movie Star Wars with one of the following texts:
ELVIRA ! Black and White Girl from Paris You make me feel alive. ELVIRA ! Pars. Reviens. Respire. Puis repars. J'aime ton mouvement. ELVIRA ! Bruja con ojos verdes Eres un grito de vida, un canto de libertad.
