Summary

Win95/SK is a highly complicated virus from Russia. It uses variable encryption to hide itself and it infects a very wide variety of file types - including Windows Help files.

However, due to unnecessary complexity of the virus, it does not seem to spread too well and is probably not going to spread far without getting noticed.

However, the most interesting thing in the virus is not its complexity, but ability for embedding into Windows HLP files. HLP file has long been known to be vulnerable for virus infection, but Win95/SK is the first virus to actually do it.

Additional Details

HLP files can be infected, because they can contain subroutines (or macros), made with a special script language. This language allows the creation and execution of program files. The macro is automatically executed by WinHelp when the help file is opened.

This virus has a destructive activation routine. It tries to detect when anti-virus programs are executed. When this happens, the virus tries to delete all files from all drives in the system, including network drives.

Win95/SK is not likely to spread far: it has too many bugs, infects files too rarely, is too destructive and thus easily noticed and it only spreads from HLP files on Russian systems.

Future viruses using the same technology are much more likely to become widespread than Win95/SK.

For a deep technical analysis of the virus by Eugene Kaspersky, refer to the description "SK-TECH".

[Mikko Hypponen, F-Secure]