This page shows details and results of our analysis on the malware SWF/LFM.926

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Shockwave Flash
  • Protection Added: 2002-01-08

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length

926 bytes

Description Added


Description Modified


Malware Proliferation

This is a proof of concept virus, which infects Macromedia Shockwave Flash (.SWF) files. It is not in the wild at this time. It is unlikely to ever become wide spread due to its dependency on the stand-alone version of the Macromedia Flash Player, rather than the browser plug-in commonly installed on most systems.

When an infected .SWF file is accessed locally (not via a web page), and the stand-alone Flash Player is installed, a script is run, which uses CMD.EXE and DEBUG.EXE to create the file V.COM and execute it. Since the CMD.EXE application is used in this process, the virus can only infect on WindowsNT/2000/XP systems. This V.COM file is capable of infecting other .SWF files in the current directory.

Presence of V.COM. Infected files do not change size.

This virus uses the ActionScripting abilities of Sockwave Flash to create a .COM file, which is used to infect other Shockwave Flash files. The virus corrupts large .SWF file such that repair is not possible for these corrupted files. Infected files should be deleted and restored from backup.

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations