Valery's Mlog

Mindlog of a Freak
August 7th, 2009 by Valery Dachev

I’ve Got an MP3 Virus

A friend of mine called me today to inform me that Avast has found a virus in a file I sent her yesterday. I was a bit confused because I am very careful about what software I download, install and run on my computer. So I don’t think I need any anti-virus software. What shocked me most was that the file was actually an MP3. I considered this almost impossible as it suggests that an exploitable MP3 decoders (still) exist and a harmful MP3 file would trick it to execute malicious code…. and maybe crash. Well WinAMP seemes to play this file correctly with no fuzzy sounds (the bits of malicious code?)! Isn’t that something like infecting a nice photo with a virus or so?! iCaci and I had a nice laugh about that but I decided to run the ESET Online Scanner to check whether I have any viruses or not. Suprise!


Three threats were found – a patch to a program (“probably a variant of Win32/HackTool.Patcher.A application“), the SDFix.exe (“Win32/PrcView application“) and… and (another) MP3 infected with “a variant of WMA/TrojanDownloader.GetCodec.get trojan“. OK, it was not the same MP3 file I have sent to that friend of mine but… wait! It’s an MP3! Well it seems like a trojan (you know not every piece of malicious is code “a virus”) that “infects” audio files with a tag pointing the player to the download page of a “suitable” codec – probably one that plays arbitrary code on your system. However I am not aware if MP3 files have any support for such tags and I seriously doubt trojans convert MP3s to WMAs (Windows Media Audio) before infecting them but… You’d better have this in mind when a player asks you to download a codec.

I am now seriously considering the possibility to infect an MP3 with a virus: remember that old joke about an Albanian virus spread as the following instant message: “Hi, I am an Albanian virus but because of poor technology in my country unfortunately I am not able to do harm your computer. Please be so kind to delete one of your important files yourself and then forward me to other users. Many thanks for your cooperation! Best regards, Albanian virus“. Now imagine the same virus spread as an MP3 with someone reading this message with a cute broken English accent in background. Or maybe a WMV (Windows Media Video) with a guy asking for help? :)

Meanwhile I have quick-tested a few online virus scanners on my Windows 7 RC. Here are some results (in a pseudo-random order):

Although ESET Online Scanner still rocks my world Kaspersky seems to be the only online scanner (except Avast! Ha-ha-ha!) that doesn’t run as an ActiveX control. I am not sure if it workarounds all Java applet security restrictions successfully and if this applet is as functional as the ActiveX controls but it means you can run an online scan with any browser supporting Java. An important thing to know in case of restoring a PC infected with a viruses disabling Internet Explorer.

Good night! :)

Comments

7 Responses to “I’ve Got an MP3 Virus”
  1. Have you tried http://www.virustotal.com/
    It scans the file with different anti-virus programs and displays the result.

  2. @iffi: It’s just the same type of online scanning as Avast! offers. If I upload a few (or a thousand!) suspicious files and if finds them infected what do I do? It’s an online file scanner but I want my whole computer scanned. :)

  3. @Valery Dachev
    if you want your whole computer scanned, why don’t you download avast and do it the easy way ;-)

  4. @iffi
    @iffi: The easy way is not to install anything at all… :)

  5. @Valery Dachev
    and upload your whole hdd online… o.O

  6. @iffi
    Nope. Other “online” scanners download an ActiveX control or a Java applet that runs and checks local files against a virus definition database. All of this is done locally and no files are uploaded on the net. :)

  7. @Valery Dachev
    still sounds easier, to download avast :-P

Leave a Reply

%d bloggers like this: