MP3 with virus

[WiredBrain]

I've read some articles saying that the mp3 that we downloaded from P2P network contains malicious software such as virus. From my (limited) knowledge, it's not possible via mp3. Which is correct?

 

[lojow]

Actually, if you remember the "Love Letter" virus, one of the things it did was to "hide" (yeah, right) your mp3s and create copies of itself with the same file name as the mp3 but add a .vbs to the end... (eg xxx-xxxxx.mp3.vbs) anyway, The files themselves usually are NOT embedded in mp3s, but look like mp3s to the untrained eye.
Hope that helps.

-------------------------------
That which Man does not understand, he fears.
That which Man fears, he destroys
-Unknown

 

[ming]

Just a word of precaution, although as far as most of us are concerned, virii are only found in the common file types like .vbs and .com. However, I've read somewhere that it may soon be possible that .jpg files can contain virii/worms.


I don't see this happening in the near future, but who knows???
Just be careful of what you are doing and make sure you're not opening files (like lojow mentioned) that end xxxxx.mp3.vbs or anything like that.

 

[GoNz0]

its microsofts fault this kinda thing happens, reason is windows is set to hide known file extension. so the user see's talk.mps as the real filename of talk.mp3.vbs auto hides the vbs extension

 

[ming]

Originally posted by GoNz0
its microsofts fault this kinda thing happens, reason is windows is set to hide known file extension. so the user see's talk.mps as the real filename of talk.mp3.vbs auto hides the vbs extension

I'm not taking sides on this, but it seems that it's all down to human error at the end of the day. How can you be 101% sure you're opening a mp3 file if that 'one' particular file is showing its 'extension' when all the others are hidden??

 

[qoa]

There was actually a story on a lot of internet news sites about how it was possible to embed code in mp3s a while back.

Something to dissprove it:

f-secure story

 

[Enyo]

The article is pretty much correct. There are methods to embed data in, mp3's but that code cant be executed.

Also ming is correct, windows hiding the filename is an issue but its very much down to the user. And even if the user saw the extention of mp3.vbs they would still run it anyway!

Bottom line is If a AV is installed then its no issue at all as the user does not have to worry this.

 

[WiredBrain]

Originally posted by Enyo
Bottom line is If a AV is installed then its no issue at all as the user does not have to worry this.

I don't agree with this. Someone can just modify the trojans to bypass
the AV and what about the latest virus? AV will need at least a week to detect them.

 

[WiredBrain]

By the way, the articles I mention were about the cons of free file-sharing network against the legitimate services. It's either those authors didn't know what they are writing or paid ...

 

[Enyo]

Your expanding the issue now, I was really referring to the majority of double-file named viruses that are in the wild, they are going to be covered.

I was talking in general about ITW threats that use this kind of desception, users are fooled yes but only because they dont exercise due care because of that they will rely on there AV. I was not suggesting its the only line of defence for the savvy.

In answer to your statements (doube-file name or not, it makes no odds)

I don't agree with this. Someone can just modify the trojans

Yes thats true but most AVs include the ability to detect even modified (packed) Trojan servers. Granted some dont do this well.

what about the latest virus? AV will need at least a week to detect them.

That really varys with vendor but it is not a week.

Most major vendors update daily, this includes Norton and McAfee.

KAV updates two to four times a day.

 

[Xie]

I've seen an example of the .jpg thing ... mozilla refuses to open it though telling you its an invalid image

 

[Enyo]

Originally posted by Xie
I've seen an example of the .jpg thing ... mozilla refuses to open it though telling you its an invalid image

Yes that was a bad one and very much related to the first question about code insertion.

In this case the .jpg was not a picture rather a HTML file which would have been harmless except for the way the browser handles this situation.

When IE encounters an invalid image it will parse it as a HTML file hence it was able to have the .jpg extension yet be HTML code.

The picture contained a VBScript which replaced WMP on the system with a Trojan, then JScript was used to execute the file.

Clever but in this incarnation very deadly. It affected a forum user here. Nicely documented here

 

[dreamliner77]

It's very easy for mp3's to contain malicious code. This was an issue probably about a year ago. It all relates to the tagging scheme used in mp3's. Most common are ID3v1 and ID3v2 tags. v1 tags are actually headers and must be of finite length. v2 tags are added at the end of the file and therefore can be of infinite lenght and allow you add cover art (and virii, amongst other things) to the tags. This become an issue where there was some code that opened winamps browser and redirected users or something like that.


[offtoptic] I just realized that i surpassed 1000 posts. Yay for me!!!. Let's have a party![/offtopic]

 

[LeeJend]

There was a reported vulnerability in Realplayer that allowed a virus to be inserted into an mp3 and realplayer would run it.

They fixed it a while back. Just make sure you have an up to date realplayer. Not sure if applied to other players that could run an mp3.

But aside from all that:

MAKE SURE YOUR ANTIVIRUS IS UP TO DATE AND SCANS ALL DOWNLOADS AND EMAIL ATTACHMENTS.

Yes, I was shouting. I have received dozens of virus's but never been infected by any of them.

 

[WiredBrain]

Thank you for all the replies.