* via http://theMezz.com/lists

* subscribe at http://techPolice.com

New virus first to infect Shockwave Flash
By Robert Lemos
Staff Writer, CNET News.com
January 8, 2002, 3:05 p.m. PT
Antivirus companies warned PC users Tuesday that future Shockwave Flash movies could 
carry malicious viruses and worms.

The caution came after an unknown virus writer sent just such an infectious program to 
U.K. antivirus company Sophos. Dubbed SWF/LFM-926, the new program does little but 
infect Flash files on a PC when the movie is played.

"It's really a proof of concept, as opposed to something that you should lie awake at 
night worrying about," said Graham Cluley, senior technology consultant for the 
Abingdon, U.K., company. "But whenever a new vulnerability like this is found, other 
copycats tend to create more malicious variants."

The SWF/LFM-926 should mainly be a concern to Web site designers who use Flash 
animations to add pizzazz to their sites, Cluley said. Shockwave Flash, created by 
digital media company Macromedia, is typically used on sites to add interactive user 
interfaces and multimedia presentations.

Macromedia went even farther, calling the vulnerability through which the virus spread 
"not that serious."

"Ninety-nine-point-nine percent of the time, people play Flash movies from the Web in 
their browser," said Pete Santangeli, vice president of engineering for Flash at the 
San Francisco company. "That's completely safe."

It's only when a Flash file or movie is played on a PC through a standalone player 
included with Macromedia's authoring tools for Web designers that this type of virus 
can actually infect a PC.

When the infected Flash movie is played, the virus displays the message 
"Loading.Flash.Movie..." and drops a 926-byte DOS file onto the PC. This file--named 
V.COM--is run by the virus and infects all other Shockwave Flash files in the current 
directory. The SWF/LFM-926 virus' name is derived from the abbreviation for Shockwave, 
the displayed message and the size of the file.

The virus will only infect Windows NT, Windows 2000 and Windows XP systems, but has 
not yet been seen circulating the Internet. Moreover, since the virus doesn't have a 
way to spread quickly, it's unlikely to infect a large number of PCs in its current 
form, said Craig Schmugar, virus research engineer for security-software maker Network 

"It won't be a very affective spreading method if they only use Shockwave Flash," he 
said, citing NAI tests that confirmed the virus will not spread when the Shockwave 
Flash is played in a Web browser.

"It is a double-edged sword," he said. "They have given their authoring community an 
ability to create increased functionality. For the most part, Macromedia has been 
strict about security; it would have been difficult for them to see this coming."

The virus is not the first to try to fool those PC users with a weakness for Shockwave 
Flash movies. In December 1999, the ProLin worm spread through e-mail by posing as a 
Shockwave movie, but in reality it was a simple Windows program file.

SWF/LFM-926 is a pure virus, meaning the program infects files and can only spread 
when the compromised file is moved to another system.

Macromedia will release a workaround to disable the file association between Shockwave 
Flash files and the local Flash player within a couple of days, Macromedia's 
Santangeli said. In addition, the company plans to close the hole in the player by the 
next version.

For the time being, e-mail users will have to add the SWF file format to their list of 
attachments of which to be wary.

"Just as we have seen a first Adobe Acrobat file infector and the first AutoCAD file 
infector, this is just a new way to get into the PC," NAI's Schmugar said. "It does 
show that the virus writers are always looking for new battleground."

FORECLOSED HOMES: Try A Free Search. Zero Down Homes!
3-4-5 bedroom homes directly from local banks & homeowners.
250,000 homes from $25,000. For A List Click Here!

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!

Reply via email to