SWF/LFM.926

This page shows details and results of our analysis on the malware SWF/LFM.926

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

926 bytes

Description Added

2002-01-08

Description Modified

2002-01-13

Malware Proliferation

Characteristics

This is a proof of concept virus, which infects Macromedia Shockwave Flash (.SWF) files. It is not in the wild at this time. It is unlikely to ever become wide spread due to its dependency on the stand-alone version of the Macromedia Flash Player, rather than the browser plug-in commonly installed on most systems.

When an infected .SWF file is accessed locally (not via a web page), and the stand-alone Flash Player is installed, a script is run, which uses CMD.EXE and DEBUG.EXE to create the file V.COM and execute it. Since the CMD.EXE application is used in this process, the virus can only infect on WindowsNT/2000/XP systems. This V.COM file is capable of infecting other .SWF files in the current directory.

Symptoms

Presence of V.COM. Infected files do not change size.

Method of Infection

This virus uses the ActionScripting abilities of Sockwave Flash to create a .COM file, which is used to infect other Shockwave Flash files. The virus corrupts large .SWF file such that repair is not possible for these corrupted files. Infected files should be deleted and restored from backup.

Removal

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants