Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Spanska

From Malware Wiki
Jump to: navigation, search

Spanska
TypeVirus
CreatorSpanska/29A
Date1996-98
OriginSpain
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
MZ executable (.EXE)
Alias(es)Spanska (common)
This box: view  talk  edit

Spanska is a family of viruses written by Spanska from 29A, having parasitic and encrypted attributes, and it runs on DOS. The main characteristic of this family is the creative payload.

Generally, they infect executables except COMMAND.COM. Some of these variants are memory resident while some of them infect a number of files during runtime instead, and they trigger their payloads depending on system time. Spanska viruses do not have any dangerous code of payload.

There are 14 known variants in 5 different versions, having their own names.

No pasaran variant:

  • Virus.DOS.Spanska.1000
  • Virus.DOS.Spanska.1008
  • Virus.DOS.Spanska.1120.a

Cosmos variant:

  • Virus.DOS.Spanska.1120.b

Mars Land variant:

  • Virus.DOS.Spanska.1474
  • Virus.DOS.Spanska.1500
  • Virus.DOS.Spanska.1509

Spanska II (Elvira variant):

  • Virus.DOS.Spanska.3698 (no activation)
  • Virus.DOS.Spanska.4208
  • Virus.DOS.Spanska.4249
  • Virus.DOS.Spanska.4250
  • Virus.DOS.Spanska.4269
  • Virus.DOS.Spanska.4270

IDEA variant:

  • Virus.DOS.IDEA.6126

References

  1. Index of the Spanska family on VX Heaven

Spanska
Spanska1120 payload.png
TypeVirus
CreatorSpanska/29A
Date1996
OriginSpain
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
Alias(es)Spanska
Size1,120 bytes
MD5e6ee18c41a5bb60d9cb9c1ae7d7b4260
SHA-1ffae17c5033244f7089d9ac79d078e88b1dac2dd
SHA-2565dc0359c5d4cc7676d03a7179847b1c4a8be16fa52ac5c9020e63126077224ac
SSDEEP48:2j/RLIKImWI0RWI0lkWI0RWI0liI0RWI0vI0RWI0vI0RWI0vI0RWI0qI0RWI0UR3:SRZIZRJtWeUoVS+
This box: view  talk  edit

Spanska (Cosmos variant) is a parasitic encrypted virus on DOS, written by Spanska from 29A. This virus does not stay memory resident.

Spanska.1120.b is the only variant.

Payload

When the virus is run, it infects the first 6 uninfected DOS executable files by writing itself to the end of their binaries. Every time the virus is run, it displays the following string:

Eudora.exe not found in this directory... Change directory and retry.

The virus does not infect COMMAND.COM and files that are smaller than 1,500 bytes or larger than 56,000 bytes in size.

If there are no more files to infect in the current directory, it would change to other directories in order to find more files to infect.

When the minute is equal to 52 and second is less than or equal to 20, it displays a video effect of a simulated cosmos, and also the text:

To Carl Sagan, poet and scientist,
this little Cosmos.  (Spanska 97)

This variant is not equivalent to Spanska.1120.a, which belongs to the version of No Pasaran.

References

  1. Description of the Spanska virus on F-Secure Lab

Spanska
Spanska1000 payload2.png
TypeVirus
CreatorSpanska/29A
Date1996
OriginSpain
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
Alias(es)Spanska
This box: view  talk  edit

The No Pasaran variant of Spanska is a parasitic encrypted virus on DOS. It is written by Spanska from 29A. The phrase "No Pasaran!" ("They shall not pass!") refers to a famous radio speech given in 1936 by Dolores Ibarruri, a Spanish freedom fighter.

Spanska.1120.a is the initial release in 1996, which contains bugs that might hang the system during execution, but not in those infected files. Spanska.1000 and 1008 are the "version 2" as stated in the payload, as they fixed some bugs since the 1,120-byte variant.

These variants do not stay memory resident after an execution.

There are 3 variants in this version: Virus.DOS.Spanska.1000, Virus.DOS.Spanska.1008, and Virus.DOS.Spanska.1120.a.

Payload

The First 7 uninfected DOS executable files will be infected when the virus is run.

MD5 hashes:

Variant Hash
Spanska.1000 31d049c63ac02e5a157c1ae8939be4ec
Spanska.1008 1fa3d9434f9f8ced053947c4129584cf
Spanska.1120.a eae30c3ae4c4d00369b3198f9fb30a5a

When an infected file is run at the time which the minute equals to 22 and the second is less than 30, the virus activates with a video effect of two flame animations at the lower corners.

Spanska.1000 and 1008

These variants display the messages in sequence:

Remember those who died for Madrid
No Pasaran! Virus v2 by Spanska 1997

Spanska.1120.a

This variant is an earlier release, it displays the messages in sequence:

Remember those who died for Madrid
No Pasaran! Virus (c) Spanska 1996

Media

References

  1. Description of Spanska on F-Secure Labs

Spanska
Mars Land DOS Virus.png
TypeVirus
CreatorSpanska/29A
Date1997
OriginSpain
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
MZ executable (.EXE)
Alias(es)Spanska
This box: view  talk  edit
Spanska (Mars Land) is a parasitic encrypted DOS virus, written by Spanska form 29A.

There are 3 variants in this version: Virus.DOS.Spanska.1474, Virus.DOS.Spanska.1500, and Virus.DOS.Spanska.1509. The virus does not stay memory resident.

When the virus is run, it infects the first 3 uninfected executable files in both COM and EXE formats in the current directory, i.e. 6 files are infected on each run.

The virus does not infect COMMAND.COM and files that are smaller than 600 bytes.

MD5 hashes:

Variant Hash
Spanska.1474 1379086e28885b177e785ffbe4eb990e
Spanska.1500 2c5736d19cd8d9375a25766bc5279373
Spanska.1509 8c80da330283a7631d9d4bddca38dd12

Payload

The virus activates when the minute is equal to 30, and the second is less than or equal to 30. It displays a high quality payload of a Mars-esque surface scrolling by and captions. For its time, it was considered to be high-quality modeling, but by today's standards, this is considered to be low quality.

Spanska.1474 displays the caption:

SPANSKA PresentMars L
Mars Landing|μ♥  *.* *.C* *.E* .

The later part of the caption (containing garbage letters and filename extensions) is expected not to be shown.

Spanska.1500 and 1509 are the bug fixing releases since Spanska.1474, they display the caption:

Mars Land, by Spanska
(coding a virus can be creative)
File:Spanska1474 payload.png
Payload screen of Spanska.1474

The virus contains the internal text string:

*.* *.C* *.E*

References

  1. Description of Spanska on F-Secure Lab

IDEA
Idea payload.png
TypeVirus
CreatorSpanska/29A
Date1998
OriginSpain
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
MZ executable (.EXE)
Alias(es)IDEA
Spanska
SizeVaries
MD584743bf74dd95541a0ddf4acffa6419f
SHA-11dd7d5ebff814b7fc13950c6fe7892db9feeb7ba
SHA-256cdc51e763478849ead5e4546a647655b497312f597ff89288e31d252f457ef69
SSDEEP192:xOKOkUlfxDb0caG5DNhUPscc5TnXKxRWp7Ff:xbOk0fxn0ca2DNv/FKx6Rf
This box: view  talk  edit

Virus.DOS.IDEA.6126 also referred as Spanska.6126, is a memory resident parasitic polymorphic encrypted DOS virus, written by Spanska from 29A.

This virus is also identified as Spanska by some antiviruses and it is the successor of Spanska_II.

After the virus has been loaded into memory, it hooks INT 21h to infect any executable that is run, and it ignores files having the filename:

COMMAND VSAFE

The virus behaves stealthy and the infection size varies in different files, but the virus still can show absolutely no observable size change as it stores the size value in the infected files.

The TSR memory usage of the virus is 18,400 bytes.

Payload

When the virus is first executed, it displays the string:

fake host

When an infected program is run when the minute is equal to 30, and the second is less than or equal to 16, the virus activates with a video effect, by spinning two different colored texts is Matrix-styled.

Warning!
strong
crypto
inside

Files infected by Spanska_II may also be detected by IDEA, but it may still infect these files when run, as long as IDEA stays in memory.

The virus contains the internal text strings:

IDEA virus (c) Spanska 98
Thx to Rajaat (poly), F Mirza (IDEA), Wild Worker (zip), Solar D (road)

Spanska_II
Spanska4249 payload.png
TypeVirus
CreatorSpanska/29A SunSoft
Date1997
OriginSpain
Programming LanguageAssembly
PlatformMS-DOS
File TypeDOS executable (.COM)
MZ executable (.EXE)
Alias(es)Spanska_II
Spanska
Elvira
This box: view  talk  edit

The Elvira variant of Spanska, or Spanska_II in simple, is a memory resident parasitic encrypted virus on DOS, written by Spanska from 29A. It was first discovered in September 1997.

There are 6 variants in 3 versions, represented by the following: Virus.DOS.Spanska_II.3698, Virus.DOS.Spanska_II.4208 and Virus.DOS.Spanska_II.4249

The virus infects C:\WINDOWS\WIN.COM by instant when it is loaded into memory, and then it starts infecting executable files that are run. The virus behaves stealthy so that there is no observable file size change.

The virus ignores files that are smaller than 500 bytes or larger than 56,000 bytes. And it does not infect files that their name begins with any of the following pairs of letters:

AV CO DR FI FV F- GU IV NA SC TB VI VS

As a result, COMMAND.COM would not be infected.

If an executable with its filename begins with any of the following pairs of letters, the virus will no longer hide itself (stealth routine disabled):

AR BA LH PK RA

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Spanska_II.3698 7,440
Spanska_II.4208 8,432
Spanska_II.4249 8,528
Spanska_II.4250 8,528
Spanska_II.4269 ?
Spanska_II.4270 8,560

MD5 hashes:

Variant Hash
Spanska_II.3698 6bb681ca33e2e970fa595d38f165d954
Spanska_II.4208 7fddd0769626d748083c8bfbb7073fdd
Spanska_II.4249 a53f9fd5a663a062b8b63a2070fbf676
Spanska_II.4250 0969b33fa797a278a975f8c5e2c9cc03
Spanska_II.4269 865f8ee99bdc3d6e65662b400a6ee71f
Spanska_II.4270 c18434bbd923c5f7cb8096d354c5ca42

Payload

When an infected program is run at the time that the minute is equal to 30, and second is less than or equal to 16, the virus activates and displays a scrolling text in Star Wars style. These variants contain more than one combination of text strings to be displayed, and they choose which one to display depending on system time, which counts from January 1st in any year and cycles every certain day, depends on the number of groups of text available.

In any leap year, the text to be displayed on February 29th is the same as that on March 1st, and the version of the text to be picked is Day 3.

Spanska_II.3698

This variant contains no payload so it does not manifest itself in any way.

Spanska_II.4208

This variant has 2 combinations of text strings available.

The common text string is displayed at first:

SORRY !

Day 1:

DAS IST BLOß EINE
GECRACKTE
VERSION VON SPANSKA.

Translation (from German):

THIS IS MERELY AN
CRACKED
VERSION OF SPANSKA.

The original content of the last sentence is:

VERSION VON SPANSKA.4250

But the last four characters were not displayed due to the lack of space.

Day 2:

This part seems to be corrupted and it displayed garbage characters instead.

Spanska_II.4249, 4250 and 4270

These variants have 3 combinations of text strings available.

The common text string is displayed at first:

ELVIRA !

And one of the following groups of text strings is selected to display.

Day 1:

Pars, Reviens, Respire,
Puis repars.
J'aime ton mouvement.

Translation (from French):

Leave, Return, Breathe,
Then leaves.
I like your movement.

Day 2:

Black and White Girl
from Paris
You make me feel alive.

Day 3:

Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.

Translation (from Spanish):

Witch with green eyes
You're a cry of life,
a song of freedom.

Spanska_II.4269

This variant also has 3 combinations of text strings available.

The common text string is displayed at first:

BIRGIT !

And one of the following groups of text strings is selected to display.

Day 1:

Blond and White Girl
from Italy
You make me feel silly.

Day 2:

Du bist meine Seele (?)
Mein Leib !
Ich werde mich ändern

Translation (from German):

You are my soul
My Body!
I will change myself

Day 3:

Gib mir no' 1 Chance!
Es tut mir sehr leid !
Verzeih mir bitte !!!

Translation (from German):

Give me a chance!
I am very sorry!
Please forgive me!!!

Variants

This family has 6 variants in total:

  • Virus.DOS.Spanska_II.3698
  • Virus.DOS.Spanska_II.4208
  • Virus.DOS.Spanska_II.4249
  • Virus.DOS.Spanska_II.4250
  • Virus.DOS.Spanska_II.4269
  • Virus.DOS.Spanska_II.4270

These variants are unofficially called "Star Wars variant".

Spanska_II.4208 and 4269 belong to different authors.

Spanska_II.4269 requires debugging in order to let the virus load into memory, otherwise, it would simply hang or even crash the system without infecting any file or delivering the payload.

Virus.DOS.IDEA.6126 is the successor of Spanska_II, as it also belongs to the Spanska family.

Files infected by IDEA may also be detected by Spanska_II, but it does not avoid such files so it infects these files as usual when run, as long as Spanska_II stays in memory.

Spanska_II.3698, 4249, 4250 and 4270 contain the encrypted internal text strings:

C:\WINDOWS\WIN.COM
(c) SPANSKA 97

Spanska_II.4208 contains the encrypted internal text strings:

(c) SunSoft Team
EXE
C:\WINDOWS\WIN.COM
(c) SunSoft Team 98

Spanska_II.4269 contains the encrypted internal text strings:

C:\WINDOWS\WIN.COM
Doctor Rave 98

References

  1. Description of Spanska on F-Secure Labs

zh:IDEA it:Spanska zh:Spanska