Tips 74

Virus name:SWF/LFM.926



Removal instruction

Use current McAfee anti-virus engine and DAT (4180) files for detection - AVERT recommends replacing files not cleaned with backup copies. the patch is available at


Virus characteristics

This is a proof of concept virus which infects Macromedia Shockwave Flash (.SWF) files. It is not in the wild at this time. It is unlikely to ever become wide spread due to its dependency on the stand-alone version of the Macromedia Flash Player, rather than the browser plug-in commonly installed on most systems.


When an infected .SWF file is accessed locally (not via a web page), and the stand-alone Flash Player is installed, a script is run, which uses CMD.EXE and DEBUG.EXE to create the file V.COM and execute it. Since the CMD.EXE application is used in this process, the virus can only infect on WindowsNT/2000/XP systems. This V.COM file is capable of infecting other .SWF files in the current directory.


Indications of infection

Presence of V.COM. Infected files do not change size.


Method of infection

This virus uses the ActionScriptting abilities of Sockwave Flash to create a .COM file, which is used to infect other Shockwave Flash files. The virus corrupts large .SWF file such that repair is not possible for these corrupted files. Infected files should be deleted and restored from backup.



SWF.LFM.926 (F-Secure), SWF.LFM.926 (NAV), SWF/LFM-926 (Sophos), SWF/LMF_926 (Panda)