F-SPAN - Disinfector for the Spanska.4250 virus Copyright (c) 1997 Data Fellows Ltd OVERVIEW F-SPAN will detect and disinfect the Spanska.4250 virus also known as Elvira). This document gives a brief description of the Spanska.4250 virus and explains how to use F-SPAN to detect and disinfect this virus. ABOUT THE SPANSKA.4250 VIRUS Spanska.4250 is one of an increasing number of viruses distributed via the Internet, in the form of posts to Usenet News. This virus was found in the wild in September 1997 in USA, Canada and Belgium. It has been distributed over the internet several times. Spanska.4250 is a stealth infector of COM and EXE files. When the virus is resident the file size difference is not visible for the end user. The virus is polymorphic, but its polymorphic engine is limited. However, the virus has several tricks in its decyptor to avoid detection from most (but not all) of the heuristic analysers. The main virus body has an anti-heuristic structure also. Spanska.4250 does not infect files starting with these two letters: TB (TBSCAN) VI (VIRUSAFE) AV (AVAST, AVP) NA (NAV) VS (VSHIELD) FI (FINDVIRU) F- (F-PROT) FV (FINDVIRU) IV (INVIRCIBLE) DR (DR SOLOMON?) SC (SCAN) GU (GUARD) CO (COMMAND.COM) Virus disables it's stealth routine when a file starting with these two letters is executed: PK (PKZIP) AR (ARJ) RA (RAR) LH (LHA) BA (BACKUP) It does not infect COMMAND.COM and COM files which are smaller than 500 bytes or bigger than 56000 bytes. When executed, Spanska.4250 immediatly infects \WINDOWS\WIN.COM file. Spanska.4250 activates if an infected file is executed when the minutes are 30 and the second filed is less or equal than 16. It displays a moving message, similary to text in the beginning of the movie Star Wars with one of the following texts: ELVIRA ! Black and White Girl from Paris You make me feel alive. ELVIRA ! Pars. Reviens. Respire. Puis repars. J'aime ton mouvement. ELVIRA ! Bruja con ojos verdes Eres un grito de vida, un canto de libertad. HOW TO USE F-SPAN Run F-SPAN with the drive letter of directory as a parameter. For example: F-SPAN C: F-SPAN C:\DOS If F-SPAN finds the virus you will be notified. If the virus is found in memory, you have to boot from a clean system diskette first and the start F-SPAN. Then, type F-SPAN /DISINF, and F-SPAN will disinfect any infected files. Virus analysis and F-SPAN by Peter Szor, Data Fellows F-PROT Professional Development. LEGAL F-SPAN is protected by international copyright laws. F-SPAN is (c) 1997 Data Fellows Ltd, and it is not in public domain or freeware, but you are free to use and share this software with no charges. You can not get the source code of this program. You are not allowed to decompile and reuse the program code of this application. You are not allowed to resell this software for your own profit (normal copying costs excluded) or claim to hold rights to this software. Although you may have the right to use F-SPAN, it will remain the exclusive property of Data Fellows. Data Fellows does not warrant that the software is error free and we will not cover any costs created by function or malfunction of this program. Data Fellows also disclaims liability for possible consequential damages. To purchase a license for the full F-PROT Professional antivirus toolkit, contact your local distributor listed in PRO.TXT. Please redistribute F-SPAN only with this documentation. If you cannot agree to these restrictions, you should not use F-SPAN. Copyright (c) 1997 Data Fellows Ltd, Finland Data Fellows Ltd Paivantaite 8 FIN-02210 ESPOO FINLAND tel: +358-9-478 444 fax: +358-9-478 44 599 e-mail: F-PROT-Support@DataFellows.com www: http://www.DataFellows.com/