F-SPAN - Disinfector for the Spanska.4250 virus
Copyright (c) 1997 Data Fellows Ltd

OVERVIEW

F-SPAN will detect and disinfect the Spanska.4250 virus also known as
Elvira). This document gives a brief description of the Spanska.4250
virus and explains how to use F-SPAN to detect and disinfect this
virus.

ABOUT THE SPANSKA.4250 VIRUS

Spanska.4250 is one of an increasing number of viruses distributed via
the Internet, in the form of posts to Usenet News.

This virus was found in the wild in September 1997 in USA, Canada and
Belgium. It has been distributed over the internet several times.

Spanska.4250 is a stealth infector of COM and EXE files. When the
virus is resident the file size difference is not visible for the end
user.

The virus is polymorphic, but its polymorphic engine is limited.
However, the virus has several tricks in its decyptor to avoid
detection from most (but not all) of the heuristic analysers. The main
virus body has an anti-heuristic structure also.

Spanska.4250 does not infect files starting with these two letters:

  TB  (TBSCAN)
  VI  (VIRUSAFE)
  AV  (AVAST, AVP)
  NA  (NAV)
  VS  (VSHIELD)
  FI  (FINDVIRU)
  F-  (F-PROT)
  FV  (FINDVIRU)
  IV  (INVIRCIBLE)
  DR  (DR SOLOMON?)
  SC  (SCAN)
  GU  (GUARD)
  CO  (COMMAND.COM)

Virus disables it's stealth routine when a file starting with these two
letters is executed:

  PK  (PKZIP)
  AR  (ARJ)
  RA  (RAR)
  LH  (LHA)
  BA  (BACKUP)

It does not infect COMMAND.COM and COM files which are smaller than
500 bytes or bigger than 56000 bytes. When executed, Spanska.4250
immediatly infects \WINDOWS\WIN.COM file.

Spanska.4250 activates if an infected file is executed when the
minutes are 30 and the second filed is less or equal than 16. It
displays a moving message, similary to text in the beginning of the
movie Star Wars with one of the following texts:

               ELVIRA !
          Black and White Girl
              from Paris
         You make me feel alive.

               ELVIRA !
         Pars. Reviens. Respire.
             Puis repars.
         J'aime ton mouvement.

               ELVIRA !
         Bruja con ojos verdes
         Eres un grito de vida,
         un canto de libertad.


HOW TO USE F-SPAN

Run F-SPAN with the drive letter of directory as a parameter. For example:

        F-SPAN C:
        F-SPAN C:\DOS

If F-SPAN finds the virus you will be notified. If the virus is found
in memory, you have to boot from a clean system diskette first and the
start F-SPAN.

Then, type F-SPAN <drive parameter> /DISINF, and F-SPAN will disinfect
any infected files.

Virus analysis and F-SPAN by Peter Szor, Data Fellows F-PROT Professional
Development.

LEGAL

F-SPAN is protected by international copyright laws. F-SPAN is (c)
1997 Data Fellows Ltd, and it is not in public domain or freeware, but
you are free to use and share this software with no charges. You can
not get the source code of this program. You are not allowed to
decompile and reuse the program code of this application. You are not
allowed to resell this software for your own profit (normal copying
costs excluded) or claim to hold rights to this software. Although you
may have the right to use F-SPAN, it will remain the exclusive
property of Data Fellows. Data Fellows does not warrant that the
software is error free and we will not cover any costs created by
function or malfunction of this program. Data Fellows also disclaims
liability for possible consequential damages. To purchase a license
for the full F-PROT Professional antivirus toolkit, contact your local
distributor listed in PRO.TXT. Please redistribute F-SPAN only with
this documentation. If you cannot agree to these restrictions, you
should not use F-SPAN.

Copyright (c) 1997 Data Fellows Ltd, Finland

                 Data Fellows Ltd
                 Paivantaite 8
                 FIN-02210 ESPOO
                 FINLAND
                 tel:    +358-9-478 444
                 fax:    +358-9-478 44 599
                 e-mail: F-PROT-Support@DataFellows.com
                 www:    http://www.DataFellows.com/
