Esperanto
Esperanto
Type File virus
Creator Mister Sandman
Date Discovered 1997.11
Place of Origin Spain
Source Language Assembly
Platform MS Windows, MacOS
File Type(s) .com, .exe, MDEF
Infection Length 4,733 bytes

Esperanto is the first multi-processor virus. It was coded in 1997 by 29A member Mister Sandman. The virus is capable of infecting files on computers running Microsoft Windows and DOS on the x86 processor and MacOS, whether they are on a Motorola or PowerPC processor.

Behavior

Windows/DOS Infection

When Esperanto is executed on a DOS or Windows computer, it checks if a running copy is already in memory, and if not, it becomes memory resident. It infects .com and .exe files as they are executed. It will infect basic DOS .com and .exe files, as well as NewEXE's and Portable EXE's.

Macintosh Infection

To infect Macintosh files, the virus contains an MDEF resource at the end of the virus body. The OS will interpret the Intel code as junk and skip to the Motorola code. This causes the operating system to run the code even without emulation, making the virus memory resident. Its ability to run on PowerPC Macs comes from Motorola emulation in the Macintosh kernel.

The virus will infect system file, so the virus is run when the computer is started. It then infects Finder, causing any file accessed to be infected. Only one instance of Esperanto will run in memory.

Jumping between platforms

To infect a Macintosh from a .com or .exe file, the executable must be run with emulation software sych as SoftPC or SoftWindows. When executed under emulation, the virus drops an MDEF resource containing the virus. To infrect a .com or .exe file from a Macintosh file, Esperanto finds Windows executables running in emulation.

Payload

The virus displays a message box when running on 32-bit Windows systems on 26 July. The significance of this date is that it was when the first was written in the Esperanto language about 110 years before the virus appeared. When the user presses the "OK" button, the virus jumps to the host without infecting any files. The box contains the text:

Never mind your culture / Ne gravas via kulturo,
Esperanto will go beyond it / Esperanto preterpasos gxin;
never mind the differences / ne gravas la diferencoj,
Esperanto will overcome them / Esperanto superos ilin.

Never mind your processor / Ne gravas via procesoro,
Esperanto will work in it / Esperanto funkcios sub gxi;
never mind your platform / Ne gravas via platformo,
Esperanto will infect it / Esperanto infektos gxin.

Now not only a human language, but also a virus...
Turning impossible into possible, Esperanto.

Sources

Mister Sandman. 29a, Issue 2, Esperanto.

Brian McWilliams, PC World News Radio . CNN, Virus writers boast about Win 98 virus. 1998.06.25

Kaspersky Lab. SecureList.com, Virus.Multi.Esperanto.4733. 2000.01.12

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License