Classification

Category :

Malware

Type :

-

Aliases :

Smash, Win95.Smash, Win95_Smash

Summary

Smash is a memory resident Windows 9x virus. Its length is about 10Kb. The virus uses Win9x specific functions (VxD calls) and is not able to spread under Windows NT. The virus infects PE EXE files by writing its body to the end of files. The virus pays no attention to file name extension, and as a result it infects any Windows PE file - executable files, DLL libraries, SCR screen-savers, etc.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus has a dangerous payload routine that is activated on July 14th - the virus overwrites the C:\IO.SYS file with a trojan code and displays the following message:

Virus Warning!
Your computer has been infected by virus.
Virus name is 'SMASH', project D version 0x0A.
Created and compiled by Domitor.
Seems like your bad dream comes true...

The virus then reboots a computer. While rebooting the affected IO.SYS file is loaded and executed, the trojan code takes control, displays the text "Formating hard disk..." and then erases data on the first hard drive.

To make the detection and disinfection of infected files more difficult, the virus uses a polymorphic engine that hides the virus code by using a mutating decryption loop. The virus also uses a "blocks-mixing" structure (similar method was used in DOS virus 'Badboy'). The virus code and data are divided into 60 blocks (installation, infection, payload routines, etc.). When the virus infects the next file, it mixes these blocks in random order and links them with a special table. As a result the virus structure is different in each infected file.

When the virus code is prepared for writing to a victim file (blocks are mixed, encrypted and 'covered' by a polymorphic 'envelope'), the virus creates a new section at the end of the file, to which it writes its code and changes necessary fields in the PE header (including program's startup address field - to get control at the moment infected file is executed). The name of virus section in the file is randomly generated.

When run from an infected file, the virus installs itself into Windows memory and stays resident until the Windows session ends. To do that, the virus uses a programming tricks to switch its process from application to kernel mode (Ring3 -> Ring0). Then it allocates a block of kernel memory, hooks into the file search, accesses Windows kernel functions (IFS API) and stays in the Windows memory as a VxD driver.

When disk files are being searched or opened, the hooker of the virus takes control and runs its infection and stealth routines. The stealth routines make the virus very difficult to detect when it is active.