Tequila (computer virus)

from Wikipedia, the free encyclopedia
Surname tequila
Known since 1991
First location Switzerland
Virus type Hybrid virus
Other classes Link virus, file virus,
boot sector virus, cluster virus
File size 2,468 bytes
Host files Exe and Com files, boot sectors
and clusters
Polymorph Yes
Stealth Yes
Memory resident Yes

Tequila is a group of computer viruses that spread widely from the beginning of 1991. Despite protective measures that have been improving for a long time, some IT systems in German companies have been infected with this virus. Those affected also included several high schools and a major Frankfurt bank.

Tequila is a so-called "multi-partite" virus and was discovered on January 4, 1991. The program code was written by two brothers from Switzerland aged 18 and 21.


The author of the virus called his program ...

Versions and derivatives

Text displayed by the virus including a simple Mandelbrot graphic .

The group of tequila viruses includes at least four representatives including the original version:

  • Tequila A.
  • Tequila. C.
  • Tequila.D
  • Tequila. F.


Source code of the tequila virus (assembler)

Tequila is a memory resident , encrypted, hidden and multi-partite virus. Its targets are both EXE and COM files as well as the master boot record . Therefore it is one of the hybrid viruses. A very complex encryption and mutilation technique is also used to protect against discovery and decomposition (stealth techniques). These measures make it impossible for simple antivirus programs with string search to locate or remove the virus. This is also the case with the master boot record, since it “preserves” the original messages and partition data.

Infection Routine

An infection can occur either by attempting to boot from an infected floppy disk or by executing an infected EXE file. When infected, the virus writes an unencrypted copy of itself in the last six sectors of the hard drive. The master boot record of the system hard disk is also modified; this indicates that the system is infected. Even so, the virus is not yet memory resident at this point.

After a restart, Tequila becomes memory-resident and is the first application to write itself to the system memory. Since the virus is now memory resident, it can protect itself from being overwritten or deleted. Also, .EXE files on the infected PC become infected with Tequila. The malicious program routines are appended to the end of the file without changing the date of the directory or the file. As soon as one of these programs is started, the virus checks whether the system is already infected and infects it if necessary. The infected applications are increased by 2,468 bytes, but this is no longer recognizable when the virus is resident. The RAM consumption also increases by 3,072 bytes if it is displayed by the DOS internal CHKDSK program.

Nowadays, the risk for modern systems with appropriate anti-virus software is almost zero.


This text is written in the last sectors of the hard disk and can also be found in encrypted form in the infected program files:

Welcome to T.TEQUILA's latest production.
Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland.
Loving thoughts to L.I.N.D.A

BEER and TEQUILA forever !

$Execute: mov ax, FE03 / int 21. Key to go on!

Four months after infection and every month thereafter, tequila displays this text and a graphic:

Execute: mov ax, FE03 / int 21. Key to go on!

Welcome to T.TEQUILA's latest production.
Contact T.TEQUILA/P.o.Box 543/6312 St'hausen Switzerland.
Loving thought to L.I.N.D.A.

BEER and TEQUILA forever !

When an application with this section is running, the text that appears in the last few sectors of a hard drive is displayed.


Most antivirus programs are unable to detect and remove the virus in every file type. The greatest danger is that the virus reports file association errors from CHKDSK. Attempting to fix this with CHKDSK / F can destroy data. Further dangers are damaged file connections, damaged data files, damaged program and overlay files as well as changes to the runtime behavior of the system.

Another special feature is the deletion of the checksums attached to the files by the McAfee VirusScan antivirus program . As a result, the scanner was unable to continue its search process and kept checking the same files over and over again.

Distance and current situation

The virus died from the mid-1990s for various reasons:

  • Tequila has been recognized and cleaned by almost every virus scanner since 1991.
  • Diskettes were less important because of the CD-ROM .
  • MS-DOS computers became increasingly rare.
  • The use of antivirus programs established itself.

Individual evidence

Web links