FANDOM


The Elvira variant of Spanska, or Spanska_II in simple, is a memory resident parasitic encrypted virus on DOS, written by Spanska from 29A, it was first discovered in September 1997.

There are 6 variants in 3 versions, represented by the following:

  • Virus.DOS.Spanska_II.3698
  • Virus.DOS.Spanska_II.4208
  • Virus.DOS.Spanska_II.4249

Behavior

When the virus is loaded into memory, it infects C:\WINDOWS\WIN.COM by instant and starts infecting executables that are run. The virus behaves stealthy so that there is no observable file size change.

The virus ignores files that are smaller than 500 bytes or larger than 56,000 bytes. And it does not infect files that their name begins with any of the following pairs of letters:

AV CO DR FI FV F- GU IV NA SC TB VI VS

As the result, COMMAND.COM would not be infected.

If an executable with its filename begins with any of the following pairs of letters, the virus will no longer hide itself (sealth routine disabled):

AR BA LH PK RA

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Spanska_II.3698 7,440
Spanska_II.4208 8,432
Spanska_II.4249 8,528
Spanska_II.4250 8,528
Spanska_II.4269 ?
Spanska_II.4270 8,560

Payload

When an infected program is run at the time that the minute is equal to 30, and second is less than or equal to 16, the virus activates and displays a scrolling text in Star Wars style. These variants contain more than one combination of text strings to be displayed, depend on the system day they pick one of them, which counts from January 1st in any year and cycles every certain days, depends on the number of groups of text available.

In any leap year, the text to be displayed on February 29th is same as that on March 1st, and the version of the text to be picked is Day 3.

Spanska_II.3698

This variant contains no payload so it does not manifest itself at anyway.

Spanska_II.4208

This variant has 2 combinations of text strings available.

The common text string is displayed at first:

SORRY !

Day 1:

DAS IST BLOß EINE
GECRACKTE
VERSION VON SPANSKA.

Translation (from German):

THIS IS MERELY AN
CRACKED
VERSION OF SPANSKA.

The original content of the last sentence is:

VERSION VON SPANSKA.4250

But the last four characters were not displayed due to the lack of space.

Day 2:

This part seems to be corrupted and it displayed garbage characters instead.

Spanska_II.4249, 4250 and 4270

These variants have 3 combinations of text strings available.

The common text string is displayed at first:

ELVIRA !

And one the following groups of text strings is selected to display.

Day 1:

Pars, Reviens, Respire,
Puis repars.
J'aime ton mouvement.

Translation (from French):

Leave, Return, Breathe,
Then leaves.
I like your movement.

Day 2:

Black and White Girl
from Paris
You make me feel alive.

Day 3:

Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.

Translation (from Spanish):

Witch with green eyes
You're a cry of life,
a song of freedom.

Spanska_II.4269

This variant also have 3 combinations of text strings available.

The common text string is displayed at first:

BIRGIT !

And one the following groups of text strings is selected to display.

Day 1:

Blond and White Girl
from Italy
You make me feel silly.

Day 2:

Du bist meine Seele (?)
Mein Leib !
Ich werde mich ändern

Translation (from German):

You are my soul (?)
My Body!
I will change myself

Day 3:

Gib mir no' 1 Chance!
Es tut mir sehr leid !
Verzeih mir bitte !!!

Translation (from German):

Give me a chance!
I am very sorry!
Please forgive me!!!

Variants

This family has 6 variants in total:

  • Virus.DOS.Spanska_II.3698
  • Virus.DOS.Spanska_II.4208
  • Virus.DOS.Spanska_II.4249
  • Virus.DOS.Spanska_II.4250
  • Virus.DOS.Spanska_II.4269
  • Virus.DOS.Spanska_II.4270

Other details

These variants are unofficially called as "Star Wars variant".

Spanska_II.4208 and 4269 belong to different authors.

Spanska_II.4269 requires debugging in order to let the virus to load into memory, otherwise it would simply hang or even crash the system without infecting any file or delivering the payload.

Virus.DOS.IDEA.6126 is the successor of Spanska_II, as it also belongs to the Spanska family.

Files infected by IDEA may also be detected by Spanska_II, but it does not avoid such files so it infects these files as usual when run, as long as Spanska_II stays in memory.

Spanska_II.3698, 4249, 4250 and 4270 contain the encrypted internal text strings:

C:\WINDOWS\WIN.COM
(c) SPANSKA 97

Spanska_II.4208 contains the encrypted internal text strings:

(c) SunSoft Team
EXE
C:\WINDOWS\WIN.COM
(c) SunSoft Team 98

Spanska_II.4269 contains the encrypted internal text strings:

C:\WINDOWS\WIN.COM
Doctor Rave 98

References

  1. Description of Spanska on F-Secure Labs

See also

Videos

Spanska DOS Virus "Star Wars" Variant02:07

Spanska DOS Virus "Star Wars" Variant

Spanska_II virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.