January 8, 2002 3:05 PM PST

New virus first to infect Macromedia Flash

Antivirus companies warned PC users Tuesday that future Macromedia Flash movies could carry malicious viruses and worms.

The caution came after an unknown virus writer sent just such an infectious program to U.K. antivirus company Sophos. Dubbed SWF/LFM-926, the new program does little but infect Flash files on a PC when the movie is played.

"It's really a proof of concept, as opposed to something that you should lie awake at night worrying about," said Graham Cluley, senior technology consultant for the Abingdon, England-based company. "But whenever a new vulnerability like this is found, other copycats tend to create more malicious variants."

The SWF/LFM-926 should mainly be a concern to Web site designers who use Flash animations to add pizzazz to their sites, Cluley said. Flash technology, created by digital media company Macromedia, is typically used on sites to add interactive user interfaces and multimedia presentations.

Macromedia went even further, calling the vulnerability through which the virus spread "not that serious."

"Ninety-nine-point-nine percent of the time, people play Flash movies from the Web in their browser," said Pete Santangeli, vice president of engineering for Flash at the San Francisco company. "That's completely safe."

It's only when a Flash file or movie is played on a PC through a standalone player included with Macromedia's authoring tools for Web designers that this type of virus can actually infect a PC.

When the infected Flash movie is played, the virus displays the message "Loading.Flash.Movie..." and drops a 926-byte DOS file onto the PC. This file--named V.COM--is run by the virus and infects all other Flash files in the current directory. The SWF/LFM-926 virus' name is derived from the abbreviation for Shockwave Flash, as Macromedia Flash used to be known, the displayed message and the size of the file.

The virus will infect only Windows NT, Windows 2000 and Windows XP systems, but has not yet been seen circulating the Internet. Moreover, since the virus doesn't have a way to spread quickly, it's unlikely to infect a large number of PCs in its current form, said Craig Schmugar, virus research engineer for security-software maker Network Associates.

"It won't be a very effective spreading method if they only use Shockwave Flash," he said, citing NAI tests that confirmed the virus will not spread when the Macromedia Flash is played in a Web browser.

"It is a double-edged sword," he said. "They have given their authoring community an ability to create increased functionality. For the most part, Macromedia has been strict about security; it would have been difficult for them to see this coming."

The virus is not the first to try to fool those PC users with a weakness for Flash movies. In December 1999, the ProLin worm spread through e-mail by posing as a Flash movie, but in reality it was a simple Windows program file.

SWF/LFM-926 is a pure virus, meaning the program infects files and can only spread when the compromised file is moved to another system.

Macromedia will release a workaround to disable the file association between Flash files and the local Flash player within a couple of days, Macromedia's Santangeli said. In addition, the company plans to close the hole in the player by the next version.

For the time being, e-mail users will have to add the SWF file format to their list of attachments of which to be wary.

"Just as we have seen a first Adobe Acrobat file infector and the first AutoCAD file infector, this is just a new way to get into the PC," Sophos' Cluley said. "It does show that the virus writers are always looking for new battlegrounds."


Join the conversation!
Add your comment
Duly noted that perhaps there may be a limited security risk with the flash file or .swf (small web file). If I could base an entire operating system GUI off of the Adobe Flash application, I would. Simply because it's more secure than any of the common OS out there. As long as any technology exists there is going to be something out there that can infect it. If a virus writer spends time writing a flash virus, he's really wasting his life away. The more common an application or technology becomes, the more it opens itself up to virus's and glitches that coders can inject. This is the way of the world of technology. As a flash developer, I know the ins and out of how these files work and I say, flash is still the safest way to display rich dynamic content on a website.
Posted by gambyt (1 comment )
Reply Link Flag
I have windows vista and was infected last night as i was watching an online trailer. My ant-virus ialo caught it after my system went to blue screen then rebooted. so the report is not accurate. Vista owners are at risk as well..
Posted by superflystinger (1 comment )
Reply Link Flag
Beware also, when you visit a site that wants you to update your flash player. This is another way to infect your computer. It looks like a legitimate adobe-like message telling you your player is out of date and it looks like you are updating your player in a legitimate way, but in reality you may be downloading a virus.
Posted by quiltingsue (3 comments )
Reply Link Flag
I got the virus in the way mentioned above but when i tried to delete the file that was downloaded it told me "access denied" and did not delete. i have scanned it with my Anti-Vir2009 and it did not recognize it as a threat. The file is called "flashplayer_124" and i get some pop ups(with scary noises) trying to get me to buy some phony Spyware Program.
Posted by bassman5t9 (1 comment )
Reply Link Flag
I have this problem and the virus "macromedia" put padlocks on multiple files and you can not access them because access is denied. I've made several attempts and can not get rid of it. Locked all I could for now through the firewall but I need to find a solution to clean the PC. If anyone knows of something I thank you. Perhaps Adobe has the solution
Posted by luizmcoutinho0613 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.