FANDOM


The Elvira variant of Spanska, or Spanska_II in simple, is a memory resident parasitic encrypted virus on DOS, written by Spanska from 29A. It was first discovered in September 1997.

There are 6 variants in 3 versions, represented by the following:

  • Virus.DOS.Spanska_II.3698
  • Virus.DOS.Spanska_II.4208
  • Virus.DOS.Spanska_II.4249

BehaviorEdit

When the virus is loaded into memory, it infects C:\WINDOWS\WIN.COM by instant and starts infecting executables that are run. The virus behaves stealthy so that there is no observable file size change.

The virus ignores files that are smaller than 500 bytes or larger than 56,000 bytes. And it does not infect files that their name begins with any of the following pairs of letters:

AV CO DR FI FV F- GU IV NA SC TB VI VS

As the result, COMMAND.COM would not be infected.

If an executable with its filename begins with any of the following pairs of letters, the virus will no longer hide itself (sealth routine disabled):

AR BA LH PK RA

Memory usageEdit

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Spanska_II.3698 7,440
Spanska_II.4208 8,432
Spanska_II.4249 8,528
Spanska_II.4250 8,528
Spanska_II.4269 ?
Spanska_II.4270 8,560

MD5 hashesEdit

You can obtain information by checking the MD5 hash codes.

Variant Hash
Spanska_II.3698 6bb681ca33e2e970fa595d38f165d954
Spanska_II.4208 7fddd0769626d748083c8bfbb7073fdd
Spanska_II.4249 a53f9fd5a663a062b8b63a2070fbf676
Spanska_II.4250 0969b33fa797a278a975f8c5e2c9cc03
Spanska_II.4269 865f8ee99bdc3d6e65662b400a6ee71f
Spanska_II.4270 c18434bbd923c5f7cb8096d354c5ca42

PayloadEdit

When an infected program is run at the time that the minute is equal to 30, and second is less than or equal to 16, the virus activates and displays a scrolling text in Star Wars style. These variants contain more than one combination of text strings to be displayed, depend on the system day they pick one of them, which counts from January 1st in any year and cycles every certain days, depends on the number of groups of text available.

In any leap year, the text to be displayed on February 29th is same as that on March 1st, and the version of the text to be picked is Day 3.

Spanska_II.3698Edit

This variant contains no payload so it does not manifest itself at anyway.

Spanska_II.4208Edit

This variant has 2 combinations of text strings available.

The common text string is displayed at first:

SORRY !

Day 1:

DAS IST BLOß EINE
GECRACKTE
VERSION VON SPANSKA.

Translation (from German):

THIS IS MERELY AN
CRACKED
VERSION OF SPANSKA.

The original content of the last sentence is:

VERSION VON SPANSKA.4250

But the last four characters were not displayed due to the lack of space.

Day 2:

This part seems to be corrupted and it displayed garbage characters instead.

Spanska_II.4249, 4250 and 4270Edit

These variants have 3 combinations of text strings available.

The common text string is displayed at first:

ELVIRA !

And one the following groups of text strings is selected to display.

Day 1:

Pars, Reviens, Respire,
Puis repars.
J'aime ton mouvement.

Translation (from French):

Leave, Return, Breathe,
Then leaves.
I like your movement.

Day 2:

Black and White Girl
from Paris
You make me feel alive.

Day 3:

Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.

Translation (from Spanish):

Witch with green eyes
You're a cry of life,
a song of freedom.

Spanska_II.4269Edit

This variant also have 3 combinations of text strings available.

The common text string is displayed at first:

BIRGIT !

And one the following groups of text strings is selected to display.

Day 1:

Blond and White Girl
from Italy
You make me feel silly.

Day 2:

Du bist meine Seele (?)
Mein Leib !
Ich werde mich ändern

Translation (from German):

You are my soul (?)
My Body!
I will change myself

Day 3:

Gib mir no' 1 Chance!
Es tut mir sehr leid !
Verzeih mir bitte !!!

Translation (from German):

Give me a chance!
I am very sorry!
Please forgive me!!!

VariantsEdit

This family has 6 variants in total:

  • Virus.DOS.Spanska_II.3698
  • Virus.DOS.Spanska_II.4208
  • Virus.DOS.Spanska_II.4249
  • Virus.DOS.Spanska_II.4250
  • Virus.DOS.Spanska_II.4269
  • Virus.DOS.Spanska_II.4270

Other detailsEdit

These variants are unofficially called as "Star Wars variant".

Spanska_II.4208 and 4269 belong to different authors.

Spanska_II.4269 requires debugging in order to let the virus to load into memory, otherwise it would simply hang or even crash the system without infecting any file or delivering the payload.

Virus.DOS.IDEA.6126 is the successor of Spanska_II, as it also belongs to the Spanska family.

Files infected by IDEA may also be detected by Spanska_II, but it does not avoid such files so it infects these files as usual when run, as long as Spanska_II stays in memory.

Spanska_II.3698, 4249, 4250 and 4270 contain the encrypted internal text strings:

C:\WINDOWS\WIN.COM
(c) SPANSKA 97

Spanska_II.4208 contains the encrypted internal text strings:

(c) SunSoft Team
EXE
C:\WINDOWS\WIN.COM
(c) SunSoft Team 98

Spanska_II.4269 contains the encrypted internal text strings:

C:\WINDOWS\WIN.COM
Doctor Rave 98

ReferencesEdit

  1. Description of Spanska on F-Secure Labs

VideosEdit

Spanska DOS Virus "Star Wars" Variant02:07

Spanska DOS Virus "Star Wars" Variant

Spanska_II virus review by danooct1

See alsoEdit

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.