Shockwave Virus SWF.LFM.926/ACTS.LFM.926

This is at present a low risk virus. It appears that only users with Shockwave authoring software, and Windows NT are vulnerable.

http://www.symantec.com/avcenter/venc/data/swf.lfm.926.html

http://www.f-secure.com/v-descs/swflfm.shtml

http://www.infoworld.com/articles/hn/xml/00/12/01/001201hnshockwavevirus.xml

http://www.sophos.com/virusinfo/analyses/swflfm926.html

Ramona

 

According to the page below, the virus only affects WinNT/2000/XP Even so, I decided add .swf to my AV's list of file extensions to scan.

From Computer Associates http://www3.ca.com/virus/virus.asp?ID=10755

SWF.LFM.926

CHARACTERISTICS
SWF.LFM.926 is a virus which infects Shockwave Flash (.SWF) files.

In order for the virus to function, an infected .SWF file must be loaded using the stand-alone Flash Player. The virus does not work when viewed
with a web browser, using the browser plugin.

The virus uses Flash scripting to open "CMD.EXE ", the command line interpreter on Windows NT/2000/XP. CMD.EXE is not usually present on
Win9x/ME systems, and therefore the virus will fail on these systems.

On systems with CMD.EXE, the virus creates a file called "V.COM" using DEBUG.EXE and then executes it. "V.COM" is a DOS program which searches the current directory for all .SWF files and infects them. The virus works in such a way that most infected files will be corrupted,
and may no longer display correctly.

 

TheRegister

Update
Macromedia has issued a statement clarifying that the issue affects only Macromedia Flash and not Shockwave content, which is produced using Director Shockwave studio, a different product.

A patch for Macromedia Flash will be available latter this week, the firm promises. More information can be found HERE.

Antivirus vendors, and our initial report, referred to Shockwave Flash but this is inaccurate: .SWF used to stand for Shockwave Flash file format, but now it's just Flash.
----

From Macromedia (above mentioned information)
Potential standalone Flash Player security issue and SWF Clear Utility

Product:
Flash

Platform:
Windows

Versions:
5.0 and above

ID:
16112

Issue
Macromedia was recently informed of a potential issue with the standalone Macromedia Flash Player running on Microsoft Windows. This issue does not affect web content viewed in a browser.

After testing by both Macromedia and Sophos Anti-virus, the company who initially reported this, Macromedia has found that this issue can only affect content that is sent via e-mail or downloaded from a site and then run outside a browser.

In either case, the content must be run in a Macromedia stand-alone Flash Player or associated Projector executable to represent a risk. This player is not installed by any browser installation, and is only installed with the Macromedia Flash authoring product.

Note: E-mail users should never open or download attachments or data unless they can be sure it is from a trusted source.

The behavior of this particular reported virus, SWF/LFM-926, is as follows:

When executed on a Windows operating system, the virus displays a message saying "Loading Flash Movie ", while showing a number puzzle for users to solve. It then creates a program that infects only other Flash files on the same system with the same virus.

Solution
For maximum system security, take the following steps:
1 Download and run the SWF Clear Utility. For help downloading files, refer to Downloading files from the Internet (TechNote 13686).

This utility removes file type associations for the SWF file format. The result is that opening any SWF file will cause the operating system to prompt you to indicate which program to open the file with. Subsequently, if you receive this prompt when attempting to open a SWF file, cancel the procedure and do not open the file to ensure greatest security.

Note: Reinstalling the Flash application will re-associate the file type. If you need to reinstall Flash, run the SWF Clear Utility again for maximum security.

2 Do not open .EXE attachments or files.

.EXE is a file format for any executable file. These can be programs including installers and Flash projectors, among many other types of files. For maximum security, do not open these types of files unless you are specifically expecting to receive an .EXE from a trusted source.

If you receive a SWF file or an .EXE file from a trusted source, verify with the sender that the content is safe before opening.

If you would like to send secure Flash content via e-mail, notify your recipients via other venues that the file is safe. Many Flash developers choose instead to publish the content to the web and e-mail a link instead of an attachment.

Last updated:
January 9, 2002

Keywords:
Flash Player security, SWF Clear Utility

Created:
January 9, 2002

©1995-2001 Macromedia, Inc. All rights reserved.