A virus that launches on the 14th day of the month could hit computers tomorrow, July 14, security experts warn.
14 July 2000 - Experts are hesitant to overplay the threat of the Windows 95 "Smash" virus (Win95.Smash.10262), as it has not yet been found in the wild.
"We wanted to put something out there because some of our clients were reading about it in the media," said Simon Perry, virus expert at Computer Associates International Inc. in Islandia, N.Y. "The bottom line is, if you get it, it's very damaging, but right now it's not likely you'll get it."
The Smash virus is technically sophisticated and what might be called socially clever.
Technically, the virus uses low-level system calls that are made directly to BIOS memory to launch. It uses a tech-nique called 'tunneling' (not related to VPN tunneling) to set up a "trap flag" to corrupt the Interrupt 13 BIOS store. The end game of a complex chain of BIOS events is to reformat the hard drive, destroying all information previously stored there.
Socially, the as-yet unidentified authors use the so-called "blue screen of death" (the screen that displays when the Windows operating system crashes), preying on common user reactions to such screens to launch the virus' payload.
When activated, the virus displays a blue screen in Windows that reads:
Virus name is 'SMASH', project D version 0x0A.
Created and compiled by Domitor.
Seems like your bad dream comes true ...
According to a warning issued by Computer Associates, "The next time the computer is rebooted, the malicious code will take effect, rendering the machine unusable. Since the machine hangs after the [blue screen] message is displayed, it is likely that the user of the machine would either press any key or try to reboot the machine at this point, therefore unwittingly causing the payload to execute."
Perry said most anti-virus vendors have added detection for the virus over the past couple of weeks.
Virus alert: Virus disguised as Fw: Joke |
Coop's Corner: Pinning blame for virus outbreaks: Look in the mirror
'Stages' scribe: 'I'm not fooling anybody'
Do you have the Stages worm e-mail?