Tequila is an advanced multipartite virus from 1991. It is notable for its armoring techniques, particularly in the area of decryption.
When a file infected with Tequila is executed, the virus infects the master boot record. In a manner similar to Flip, the virus reduces the size of the disk's partition by 6 sectors and placing its code in the sectors that are outside of the partition. When the disk is booted, the virus becomes memory resident. When .exe files are executed, the virus appends its 2,468 bytes to them.
It will not infect files with the letters "sc" and "v" in their names. This is probably to avoid infecting antivirus programs.
The virus displays the message:
Welcome to T.TEQUILA's latest production. Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland Loving thoughts to L.I.N.D.A BEER and TEQUILA forever ! Execute: mov ax, FE03 / int 21. Key to go on!
It will also display a low-resolution fractal.
Tequila has a number of different ways of protecting itself from detection and disassembly. Its code contains many junk instructions to confuse anyone who tries to disassemble it. Similar to the Vienna virus, the seconds timestamp of an infected file is marked with the impossible value of 62. It uses this timestamp to determine when to subtract 2,468 bytes from the file's reported size when the user runs the DIR command.
The virus also makes decryption difficult, as its decryption code is also its decryption key. Setting a breakpoint outside of the virus code fails as the breakpoint instruction will be altered. Setting one inside the code will cause errors in the decryption.
The virus was relatively widespread in Europe. Two people, ages 18 and 21, were questioned by Swiss police about the virus. In 1993, Tequila was common in South Africa.
Paul Ducklin. Tequila.
Morton Swimmer. University of Hamburg, Virus Test Center, Computer Virus Catalog 1.2: "Tequila" Virus. 1991.07.15
McAfee Antivirus, Tequila. 1991.04.15