Name: Spanska_II.425 Category: Viruses Description: Details Spanska_II.4250 It is not a dangerous memory resident encrypted semi-polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of .COM and EXE files that are executed. When the virus installs itself memory resident it also affects the C:WINDOWSWIN.COM file. The virus does not infect several anti-virus scanners and COMMAND.COM according to the string (two bytes per name - TBAV, VI*, AVP, NAV, all): TBVIAVNAVSFIF-FVIVDRSCGUCO The virus also disables its semi-stealth routine (decreasing infected file lengths on FindFirst/Next DOS calls) when several compressing utilities and BACKUP are run, the according text strings looks like follows: PKARRALHBA The virus uses anti-debugging tricks in its decryption loops. This decryption loop is semi-polymorphic - it contains 15 blocks that are selected from more than 100 variants depending on the virus random counter (12 variants for 1st block, 10 variants for 2nd block, e.t.c.). The virus random counter is initialized by current date value. As a result while infecting files on the same day the virus will write to files the same decryption loop and encrypt file with the same algorithm, and will change to next variant on decryption loop only on next day. So, the virus polymorphic engine is able to produce only 366 different variants of decryption loop. When an infected file is executed the virus also runs its video effect, it runs it depending on the system time (hours: up to 16, seconds: exactly 30). In this case the virus displays one of messages: ELVIRA ! Black and White Girl from Paris You make me feel alive. ELVIRA ! Pars. Reviens. Respire. Puis repars. J'aime ton mouvement. ELVIRA ! Bruja con ojos verdes Eres un grito de vida, un canto de libertad. The virus also contains the text: (c) Spanska 97