Win95/SK is a highly complicated virus from Russia. It uses variable encryption to hide itself and it infects a very wide variety of file types - including Windows Help files.
However, due to unnecessary complexity of the virus, it does not seem to spread too well and is probably not going to spread far without getting noticed.
However, the most interesting thing in the virus is not its complexity, but ability for embedding into Windows HLP files. HLP file has long been known to be vulnerable for virus infection, but Win95/SK is the first virus to actually do it.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
HLP files can be infected, because they can contain subroutines (or macros), made with a special script language. This language allows the creation and execution of program files. The macro is automatically executed by WinHelp when the help file is opened.
This virus has a destructive activation routine. It tries to detect when anti-virus programs are executed. When this happens, the virus tries to delete all files from all drives in the system, including network drives.
Win95/SK is not likely to spread far: it has too many bugs, infects files too rarely, is too destructive and thus easily noticed and it only spreads from HLP files on Russian systems.
Future viruses using the same technology are much more likely to become widespread than Win95/SK.
For a deep technical analysis of the virus by Eugene Kaspersky, refer to the description "SK-TECH".
[Mikko Hypponen, F-Secure]