W95.Smash


Aliases: PE_SMASH, Virus.Win9x.Smash.10262, Virus:Win32/Smash.10262, W32/Smash
Variants: W32/Smash.10262, W95/Smash, W95/Smash-10262, Win95/Smash

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 13 Feb 2007
Damage: Medium

Characteristics: The W95/Smash program is a memory resident polymorphic 32 bit Windows virus that infects files on Windows 9x systems.

More details about W95.Smash

W95.Smash is a memory resident parasitic virus that infects files on Windows 9x systems. The virus uses Win9x specific functions and is not able to propagate under Windows NT. This virus affects PE EXE by appending itself to the end of the file. It pays no attention to the file name extension, and because of this, it infects PE file - executable files, SCR screen-savers, DLL libraries, etc. This virus has a very harmful payload process, it overwrites C:\IO.SYS file with a trojan code and shows a message, “Virus Warning! Your computer has been infected by virus. Virus name is 'SMASH', project D version 0x0A. Created and compiled by Domitor. Seems like your bad dream comes true...”

The virus utilizes a polymorphic engine, which hides virus code, by utilizing a loop mutating decryption. This virus as well utilizes a "blocks mixing" structure. The virus data and code are separated into about 60 blocks (infection, payload routines, installation, etc.). If the virus infects another file, it mixes these blocks randomly and links the files with a special table. And because of this, the structure of the virus is different in each file infected.