Trojan infected .avi files

Hi everyone,
I’ve recently started using Avast! 4.7 Home Edition. Upon running a scan I’ve got a message stating that a Trojan has been found whilst scanning a .avi file that I’ve downloaded.
I have been led to believe that .avi files could not actually carry Trojans, only give them ‘piggybacks’. Is this wrong? The Trojan is: Win32:Agent-GHL [Trj].
???
Thanks.

That would be my assumption too.

If the avi file isn’t too big < 10MB you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Thanks for the quick reply, unfortunately the file’s much too big for the on-line scanners like Jotti (over 500MB) I’ve scanned the file several times with Avast and received exactly the same warning each time. I’ve not been able to move the file to the chest - i get a ‘not enough disk space’ message although i have at least 10GB free space on each drive. can anybody recommend another (free) antivirus to try so i can eliminate the false positive option?

You can increase the size limits in the Chest, Program Settings, Chest.

Though I really am surprised at this detection on an avi file, is it something that you absolutely must have, if you are prepared to put it in the chest (which denies any use of it), then perhaps you should consider deletion.

What was the avi and did you download it from a reputable site ?

It’s nothing vital, I’ve tried scanning the same file with NOD32 and it didn’t find any virus. The file’s a foreign TV show that i downloaded from a site I’ve used for years without problem. A friend mentioned the possibility that the file is slightly corrupted and that avast might be ‘misreading’ the data. Although the file plays fine.
Thanks a million for your advice on the matter.
:slight_smile:

hi is this possible ???
it must be a false +ve…could u post the exact avast warning…and another q to the techies…is there any history of any virus infecting thru a *.avi file…???

This is the warning message…
The full filepath is G:\Movies\J Transformers\Season 2\Victory.S02E06.WS.PDTV.XviD-RiVER.avi
Under right click > Properties > AVI it does say AVI structure error while skipping sub chunk ???

hi is this possible Huh it must be a false +ve..could u post the exact avast warning...and another q to the techies..is there any history of any virus infecting thru a *.avi file..Huh?

This happened a couple of years ago with a Windows Media Player vulnerability:

WmvDown.A takes advantage of a technology of Microsoft's Windows Media Player, called Windows Media Digital Rights Management (DRM). This technology has been developed in order to protect multimedia content that holds intellectual rights.

This Trojan reaches the computer in a license-protected multimedia file. When the user attempts to view it, WmvDown.A connects to an URL in the domain serve.alcena.com and downloads malware to the computer.

http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=57265&sitepanda=particulares

More likely a false positive in this case, though, especially as it plays without any hanky-panky.

A friend mentioned the possibility that the file is slightly corrupted and that avast might be 'misreading' the data.

That is always a possibility, though a slightly corrupt file is the same as being slightly dead (you either are or you aren’t), avast can usually report corrupt files after an on-demand scan. If slightly corrupt it shouldn’t run either and should fail a CRC (Cyclic Redundancy Check) test or an MD5 check if there is one to check against on the web site where it was downloaded.

It is possible that a file of this size may have a string in it that might just happen to match a signature causing a false positive.

I believe that it may well be a false positive detection, but there is no way to tell for sure as an avast user like yourself I can’t give any guarantees. I just wonder if there is any way that Alwil might be able to check it.