Esperanto | |
---|---|
Type | File virus |
Creator | Mister Sandman |
Date Discovered | 1997.11 |
Place of Origin | Spain |
Source Language | Assembly |
Platform | MS Windows, MacOS |
File Type(s) | .com, .exe, MDEF |
Infection Length | 4,733 bytes |
Esperanto is the first multi-processor virus. It was coded in 1997 by 29A member Mister Sandman. The virus is capable of infecting files on computers running Microsoft Windows and DOS on the x86 processor and MacOS, whether they are on a Motorola or PowerPC processor.
Table of Contents
|
Behavior
Windows/DOS Infection
When Esperanto is executed on a DOS or Windows computer, it checks if a running copy is already in memory, and if not, it becomes memory resident. It infects .com and .exe files as they are executed. It will infect basic DOS .com and .exe files, as well as NewEXE's and Portable EXE's.
Macintosh Infection
To infect Macintosh files, the virus contains an MDEF resource at the end of the virus body. The OS will interpret the Intel code as junk and skip to the Motorola code. This causes the operating system to run the code even without emulation, making the virus memory resident. Its ability to run on PowerPC Macs comes from Motorola emulation in the Macintosh kernel.
The virus will infect system file, so the virus is run when the computer is started. It then infects Finder, causing any file accessed to be infected. Only one instance of Esperanto will run in memory.
Jumping between platforms
To infect a Macintosh from a .com or .exe file, the executable must be run with emulation software sych as SoftPC or SoftWindows. When executed under emulation, the virus drops an MDEF resource containing the virus. To infrect a .com or .exe file from a Macintosh file, Esperanto finds Windows executables running in emulation.
Payload
The virus displays a message box when running on 32-bit Windows systems on 26 July. The significance of this date is that it was when the first was written in the Esperanto language about 110 years before the virus appeared. When the user presses the "OK" button, the virus jumps to the host without infecting any files. The box contains the text:
Never mind your culture / Ne gravas via kulturo,
Esperanto will go beyond it / Esperanto preterpasos gxin;
never mind the differences / ne gravas la diferencoj,
Esperanto will overcome them / Esperanto superos ilin.
Never mind your processor / Ne gravas via procesoro,
Esperanto will work in it / Esperanto funkcios sub gxi;
never mind your platform / Ne gravas via platformo,
Esperanto will infect it / Esperanto infektos gxin.
Now not only a human language, but also a virus...
Turning impossible into possible, Esperanto.
Sources
Mister Sandman. 29a, Issue 2, Esperanto.
Brian McWilliams, PC World News Radio . CNN, Virus writers boast about Win 98 virus. 1998.06.25
Kaspersky Lab. SecureList.com, Virus.Multi.Esperanto.4733. 2000.01.12