|Place of Origin|
|Platform||MS Windows 9x|
|File type||.dll, .exe, .scr|
|Infection length||10,262 Bytes|
Smash is a polymorphic encrypted virus. It uses a rare form of polymorphism, and carries a destructive payload. In spite of being potentially terribly destructive, it was never widespread.
When an infected file ie executed, Smash becomes memory resident. It switches from application mode to kernel mode, allocating a block of kernel memory and staying in memory as a VxD driver. The virus appends itself to the end of .dll, .exe and .scr files as tghey are searched, opened or run.
Smash has an interesting method of polymorphic encryption. The code is broken into 60 blocks, which are randomly placed in the infected section of the file and linked with a special table. This is quite similar to the DOS Badboy virus.
On the 14th day of July (some sources seem to indicate the 14th of any month) the virus trojanizes the file C:\IO.SYS and displays the message:
Virus Warning! Your computer has been infected by virus. Virus name is 'SMASH', project D version 0x0A. Created and compiled by Domitor. Seems like your bad dream comes true...
The message is made to look like the blue screen that appears when the Windows operating system crashes, popularly known as the "Blue Screen of Death". Upon next reboot, either the computer will be stuck at the Windows logo or display the error message "Formating hard disk..." as it loads the trojanized IO.SYS file, which erases all data on the first hard drive.
Smash may only replicate under Windows 9x systems (95, 98 and ME), as it makes Windows 9x specific VxD calls. It will not work on versions earlier than 95 or later than ME.
The virus was reportedly very destructive, but not very widespread. In fact, it may have never even been wild. however it was reported in the media. Antivirus companies were even hesitant to warn users about the virus, calling the threat "theoretical" and saying the chances were "almost zero" that users would actually encounter the virus.
Kaspersky Lab. Securelist.com, Virus.Win9x.Smash.10262.
ZDNet Australia. 'Smash' virus could hit today. 2000.10.13
PCHell, Smash Virus Help and Information.
Erich Luening. CNet News, "Smash" virus' potential downplayed by experts. 2000.07.14