Open SWF File

SWF Files and Malware

SWF files, being easy to execute and practically multiplatform files, have become an accessible target in the sights of virus programmers. In 2002 the first malicious software that affected SWF or ShockWave files came to light, however, at that time, as it was only a proof of concept, it did not really deserve more care than just maintaining your antivirus up to date (and perhaps, adding the extension .SWF to the files to be scanned).

The virus could not achieve infection by simply displaying a web page containing a SWF animation. For the infection to occur, it was necessary to manually download the .SWF file from the site, place it in the same folder where there are other clean .SWF files, and run said file with the respective SWF Player.

The virus used the ability of SWF files to execute scripts, using this language through ActionScript to spread. When it infects other files, it displays a message on the screen with the text: "Loading Flash Movie".

The virus opens a DOS window using the command prompt. This only works on Windows NT and higher (2000, XP). Then virus launches the DOS DEBUG command to create the V.COM file with a script, which is then automatically executed, infecting all possible SWF files in the same folder. It does not have destructive routines, except for file infection.

The infection routine is a simple loop that infects the SWF files in the same folder. This routine stops if it does not find SWF files there, or if those files are marked as read-only.

Due to the use of the CMD.EXE application, used by the virus in this process, it can only act under Windows systems with this feature included.

Infected .SWF files increase in size by 926 bytes.

To clean the virus from your system, run a daily antivirus to check all your files (if necessary, add the .SWF extension to search for infected files). However, remember that infected .COM and .EXE executables are identified by any antivirus with updated databases.

You may need to delete files identified as infected. Something of utmost importance is that an infected SWF file cannot be repaired because it is a binary file. In that case, you will need to reinstall the deleted files from a backup.

More recently, a Trojan called Blacole.O was discovered that takes advantage of a vulnerability in Adobe Flash to infect computers using Adobe Shockwave Flash (.SWF) files.

Infected SWF files are distributed via apparently legitimate web pages that have been compromised using the 'Blackhole' exploit kit. The effects caused by this virus redirect web browsers to pages controlled by the attackers and makes user computers download the new malware.

As prevention, the recommendation is to update the Adobe Flash program. As a recovery measure, if you are using the Windows operating system and you know when the infection occurred, you can use the "system restore" feature to remove the virus.