Gossamer Forum
Home : General : Chit Chat :

First ShockWave Virus!

Quote Reply
First ShockWave Virus!
Recieved this from Sophos [sophos.com] earlier today:

Code:
Name: SWF/LFM-926
Type: Shockwave infector
Date: 8 January 2002


A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated
into the February 2002 (3.54) release of Sophos Anti-Virus.


Note: At the time of writing Sophos has received no reports of
this virus in the wild. However, due to its new method of
infection we are issuing this advisory.


Description:


SWF/LFM-926 is the first virus which is capable of infecting
Shockwave Flash (.SWF) files, commonly used for animation and
special effects on websites.


When an SWF file is played the virus displays the message
"Loading.Flash.Movie..." and then it infects other SWF files in
the current directory.


The virus makes use of the ability of Shockwave files to run
scripts. In this case it causes the command line interpreter to
run a debug script which produces a file called V.COM. This file
is then automatically run by the virus infecting all other SWF
files in the current directory.


In testing Sophos has confirmed the Shockwave element of the
virus works when the SWF file is downloaded from an affected
website and opened using the Shockwave player.


Sophos recommends webmasters put in place procedures and
policies to ensure the integrity of the code they place on their
websites, whether it be obviously executable (in the case of,
for instance, EXE and COM files) or Shockwave Flash movies.


Sophos Anti-Virus detects both the ShockWave files and the .COM
file.


Please note: Because the virus can spread itself using the .SWF
file extension Sophos technical support recommends users add SWF
to the list of file extensions which Sophos Anti-Virus scans.


Instructions on how to do this are contained in the Windows
NT/2000/XP, Windows 95/98/Me, OS/2 and NetWare FAQs from
http://www.sophos.com/support/faqs/extensions.html



Download the IDE file from
http://www.sophos.com/downloads/ide/lfm-926.ide


Read the analysis at
http://www.sophos.com/virusinfo/analyses/swflfm926.html


Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip


Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications

- wil
Quote Reply
Re: [Wil] First ShockWave Virus! In reply to
And the first ever Flash virus reported today, also! Yikes! I don't feel safe at all anymore. I now have to disable Flash & Shockwave on my browser :-(

- wil
Quote Reply
Re: [Wil] First ShockWave Virus! In reply to
Hi Wil

How do you disable Flash and Shockwave? I looked under (IE6) Tools/Internet Options, but I didn't see anything. (That ain't saying much. It's probably right there under my nose.)

Thanks.


------------------------------------------

Last edited by:

DogTags: Jan 9, 2002, 7:08 AM
Quote Reply
Re: [DogTags] First ShockWave Virus! In reply to
I think the only way is to uninstall it?

- wil