SWF/LFM-926

Please follow the instructions for removing infected executable files.

Please follow the instructions for removing infected executable files.

SWF/LFM-926 is the first virus which is capable of infecting Macromedia Flash (.SWF) files, commonly used for animation and special effects on websites.

When an SWF file is played the virus displays the message "Loading.Flash.Movie..." and then it infects other SWF files in the current directory.

The virus makes use of the ability of Macromedia Flash files to run scripts. In this case it opens a DOS box, launching the command line interpreter to run a debug script which produces a file called V.COM. This file, which is 926 bytes in length, is then automatically run by the virus infecting all other SWF files in the current directory.

In testing Sophos has confirmed the Macromedia Flash element of the virus works when the SWF file is manually downloaded from an affected website and opened using the Macromedia Flash player.

Sophos recommends webmasters put in place procedures and policies to ensure the integrity of the code they place on their websites, whether it be obviously executable (in the case of, for instance, EXE and COM files) or Macromedia Flash movies.

Sophos Anti-Virus detects both the Macromedia Flash files and the .COM file.