FANDOM


The Spanska is a family of viruses written by Spanska from 29A, having parasitic and encrypted attributes, and it runs on DOS. The main characteristic of this family is the creative payload.

Generally, they infect executables except COMMAND.COM. Some of these variants are memory resident while some of them infect a number of files during runtime instead, and depend on the system time they trigger their payloads. Spanska viruses do not have any dangerous code of payload.

There are 14 known variants in 5 different versions, having their own names.

No pasaran variant:

  • Virus.DOS.Spanska.1000
  • Virus.DOS.Spanska.1008
  • Virus.DOS.Spanska.1120.a

Cosmos variant:

  • Virus.DOS.Spanska.1120.b

Mars Land variant:

  • Virus.DOS.Spanska.1474
  • Virus.DOS.Spanska.1500
  • Virus.DOS.Spanska.1509

Spanska II (Elvira variant):

  • Virus.DOS.Spanska.3698 (no activation)
  • Virus.DOS.Spanska.4208
  • Virus.DOS.Spanska.4249
  • Virus.DOS.Spanska.4250
  • Virus.DOS.Spanska.4269
  • Virus.DOS.Spanska.4270

IDEA variant:

  • Virus.DOS.IDEA.6126

References

  1. Index of the Spanska family on VX Heaven

Spanska (Cosmos variant) is a parasitic encrypted virus on DOS, written by Spanska from 29A. This virus does not stay memory resident.

Spanska.1120.b is the only variant.

Payload

When the virus is run, it infects first 6 uninfected DOS executable files by writing itself to the end of their binaries.

The virus does not infect COMMAND.COM and files that are smaller than 1,500 bytes or larger than 56,000 bytes in size.

If there is no more files to infect in the current directory, it would change to other directories in order to find more files to infect.

When the minute is equal to 52 and second is less than or equal to 20, it displays a video effect of a simulated cosmos, and also the text:

To Carl Sagan, poet and scientist,
this little Cosmos.  (Spanska 97)

This variant is not equivalent to Spanska.1120.a, which belongs to the version of No Pasaran.

Media

Virus.DOS.Spanska.1120

Virus.DOS.Spanska.1120.b

Spanska.1120

Virus.DOS

Virus.DOS.Spanska 1120b

Spanska (Cosmos variant) virus review by Alles Sandro

References

  1. Description of the Spanska virus on F-Secure Lab

The No Pasaran variant of Spanska is a parasitic encrypted virus on DOS. It is written by Spanska from 29A. The phrase "No Pasaran!" ("They shall not pass!") refers to a famous speech given by Dolores Ibarruri, a Spanish freedom fighter. It was appeared in her radio speech in 1936.

Spanska.1120.a is the initial release in 1996, which contains bugs that might hang the system during execution, but not in those infected files. Spanska.1000 and 1008 are the "version 2" as stated in the payload, as they fixed some bugs since the 1,120-byte variant.

These variants do not stay memory resident after an execution.

There are 3 variants in this version: Virus.DOS.Spanska.1000, Virus.DOS.Spanska.1008, and Virus.DOS.Spanska.1120.a.

Payload

First 7 uninfected DOS executable files will be infected when the virus is run.

MD5 hashes:

Variant Hash
Spanska.1000 31d049c63ac02e5a157c1ae8939be4ec
Spanska.1008 1fa3d9434f9f8ced053947c4129584cf
Spanska.1120.a eae30c3ae4c4d00369b3198f9fb30a5a

When an infected file is run at the time which the minute equals to 22 and the second is less than 30, the virus activates with a video effect of two flame animations at the lower corners.

Spanska.1000 and 1008

These variants displays the messages in sequence:

Remember those who died for Madrid
No Pasaran! Virus v2 by Spanska 1997

Spanska.1120.a

This variant is an earlier release, it displays the messages in sequence:

Remember those who died for Madrid
No Pasaran! Virus (c) Spanska 1996

Media

References

  1. Description of Spanska on F-Secure Labs

Spanska (Mars Land) is a parasitic encrypted DOS virus, written by Spanska form 29A.

There are 3 variants in this version: Virus.DOS.Spanska.1474, Virus.DOS.Spanska.1500, and Virus.DOS.Spanska.1509. The virus does not stay memory resident.

When the virus is run, it infects first 3 uninfected executable files in both COM and EXE formats in current directory, i.e. 6 files are infected on each run.

The virus does not infect COMMAND.COM and files that are smaller than 600 bytes.

MD5 hashes:

Variant Hash
Spanska.1474 1379086e28885b177e785ffbe4eb990e
Spanska.1500 2c5736d19cd8d9375a25766bc5279373
Spanska.1509 8c80da330283a7631d9d4bddca38dd12

Payload

The virus activates when the minute is equal to 30, and the second is less than or equal to 30. It displays a high quality payload of a Mars-esque surface scrolling by and captions. For its time, it was considered to be a high quality modeling, but by today's standards, this is considered to be low quality.

Spanska.1474 displays the caption:

SPANSKA PresentMars L
Mars Landing|μ♥  *.* *.C* *.E* .

The later part of the caption (containing garbage letters and filename extensions) is expected not to be shown.

Spanska.1500 and 1509 are the bug fixing releases since Spanska.1474, they display the caption:

Mars Land, by Spanska
(coding a virus can be creative)
Spanska1474 payload

Payload screen of Spanska.1474

The virus contains the internal text string:

*.* *.C* *.E*

Media

References

  1. Description of Spanska on F-Secure Lab

Virus.DOS.IDEA.6126 also referred as Spanska.6126, is a memory resident parasitic polymorphic encrypted DOS virus, written by Spanska from 29A.

This virus is also identified as Spanska by some antiviruses and it is the successor of Spanska_II.

After the virus has been loaded into memory, it hooks INT 21h to infect any executable that is run, and it ignores files having the filename:

COMMAND VSAFE

The virus behaves stealthy and the infection size varies in different files, but the virus still can show absolutely no observable size change as it stores the size value in the infected files.

The TSR memory usage of the virus is 18,400 bytes.

Payload

When an infected program is run when the minute is equal to 30, and the second is less than or equal to 16, the virus activates with a video effect, by spinning two different colored texts is Matrix-styled.

Warning!
strong
crypto
inside

Files infected by Spanska_II may also be detected by IDEA, but it may still infect these files when run, as long as IDEA stays in memory.

The virus contains the internal text strings:

IDEA virus (c) Spanska 98
Thx to Rajaat (poly), F Mirza (IDEA), Wild Worker (zip), Solar D (road)


The Elvira variant of Spanska, or Spanska_II in simple, is a memory resident parasitic encrypted virus on DOS, written by Spanska from 29A. It was first discovered in September 1997.

There are 6 variants in 3 versions, represented by the following: Virus.DOS.Spanska_II.3698, Virus.DOS.Spanska_II.4208 and Virus.DOS.Spanska_II.4249

The virus infects C:\WINDOWS\WIN.COM by instant when it is loaded into memory, and then it starts infecting executable files that are run. The virus behaves stealthy so that there is no observable file size change.

The virus ignores files that are smaller than 500 bytes or larger than 56,000 bytes. And it does not infect files that their name begins with any of the following pairs of letters:

AV CO DR FI FV F- GU IV NA SC TB VI VS

As the result, COMMAND.COM would not be infected.

If an executable with its filename begins with any of the following pairs of letters, the virus will no longer hide itself (sealth routine disabled):

AR BA LH PK RA

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Spanska_II.3698 7,440
Spanska_II.4208 8,432
Spanska_II.4249 8,528
Spanska_II.4250 8,528
Spanska_II.4269 ?
Spanska_II.4270 8,560

MD5 hashes:

Variant Hash
Spanska_II.3698 6bb681ca33e2e970fa595d38f165d954
Spanska_II.4208 7fddd0769626d748083c8bfbb7073fdd
Spanska_II.4249 a53f9fd5a663a062b8b63a2070fbf676
Spanska_II.4250 0969b33fa797a278a975f8c5e2c9cc03
Spanska_II.4269 865f8ee99bdc3d6e65662b400a6ee71f
Spanska_II.4270 c18434bbd923c5f7cb8096d354c5ca42

Payload

When an infected program is run at the time that the minute is equal to 30, and second is less than or equal to 16, the virus activates and displays a scrolling text in Star Wars style. These variants contain more than one combination of text strings to be displayed, depend on the system day they pick one of them, which counts from January 1st in any year and cycles every certain days, depends on the number of groups of text available.

In any leap year, the text to be displayed on February 29th is same as that on March 1st, and the version of the text to be picked is Day 3.

Spanska_II.3698

This variant contains no payload so it does not manifest itself at anyway.

Spanska_II.4208

This variant has 2 combinations of text strings available.

The common text string is displayed at first:

SORRY !

Day 1:

DAS IST BLOß EINE
GECRACKTE
VERSION VON SPANSKA.

Translation (from German):

THIS IS MERELY AN
CRACKED
VERSION OF SPANSKA.

The original content of the last sentence is:

VERSION VON SPANSKA.4250

But the last four characters were not displayed due to the lack of space.

Day 2:

This part seems to be corrupted and it displayed garbage characters instead.

Spanska_II.4249, 4250 and 4270

These variants have 3 combinations of text strings available.

The common text string is displayed at first:

ELVIRA !

And one the following groups of text strings is selected to display.

Day 1:

Pars, Reviens, Respire,
Puis repars.
J'aime ton mouvement.

Translation (from French):

Leave, Return, Breathe,
Then leaves.
I like your movement.

Day 2:

Black and White Girl
from Paris
You make me feel alive.

Day 3:

Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.

Translation (from Spanish):

Witch with green eyes
You're a cry of life,
a song of freedom.

Spanska_II.4269

This variant also have 3 combinations of text strings available.

The common text string is displayed at first:

BIRGIT !

And one the following groups of text strings is selected to display.

Day 1:

Blond and White Girl
from Italy
You make me feel silly.

Day 2:

Du bist meine Seele (?)
Mein Leib !
Ich werde mich ändern

Translation (from German):

You are my soul
My Body!
I will change myself

Day 3:

Gib mir no' 1 Chance!
Es tut mir sehr leid !
Verzeih mir bitte !!!

Translation (from German):

Give me a chance!
I am very sorry!
Please forgive me!!!

Variants

This family has 6 variants in total:

  • Virus.DOS.Spanska_II.3698
  • Virus.DOS.Spanska_II.4208
  • Virus.DOS.Spanska_II.4249
  • Virus.DOS.Spanska_II.4250
  • Virus.DOS.Spanska_II.4269
  • Virus.DOS.Spanska_II.4270

These variants are unofficially called as "Star Wars variant".

Spanska_II.4208 and 4269 belong to different authors.

Spanska_II.4269 requires debugging in order to let the virus to load into memory, otherwise it would simply hang or even crash the system without infecting any file or delivering the payload.

Virus.DOS.IDEA.6126 is the successor of Spanska_II, as it also belongs to the Spanska family.

Files infected by IDEA may also be detected by Spanska_II, but it does not avoid such files so it infects these files as usual when run, as long as Spanska_II stays in memory.

Spanska_II.3698, 4249, 4250 and 4270 contain the encrypted internal text strings:

C:\WINDOWS\WIN.COM
(c) SPANSKA 97

Spanska_II.4208 contains the encrypted internal text strings:

(c) SunSoft Team
EXE
C:\WINDOWS\WIN.COM
(c) SunSoft Team 98

Spanska_II.4269 contains the encrypted internal text strings:

C:\WINDOWS\WIN.COM
Doctor Rave 98

Media

References

  1. Description of Spanska on F-Secure Labs

Community content is available under CC-BY-SA unless otherwise noted.