Viruses in video files

system · December 19, 2007, 2:33pm

Is it possible for viruses to put hidden in video files such as .avi or .wmv

Any help would be great >.<

DavidR · December 19, 2007, 2:38pm

Generally it is the media player that is exploited (so keep it up to date) rather than an infected video file. They are a low risk and I can’t recall any virus contained in a video file.

system · December 19, 2007, 3:00pm

I use Winamp as my media player.

When I opened the video it said something like "Content blocked, download the codec @ www.etc to watch it " or some junk like that.
Was trying to watch Stargate, I live in Australia so its like a year before the new season is shown on TV here.

anyway
Thanks for your help again David :>

FreewheelinFrank · December 19, 2007, 3:03pm

There was a case of “infected” .wmv files a couple of years ago:

http://www.theregister.co.uk/2005/01/13/drm_trojan/

What is the name of the codec you are prompted to download?

polonus · December 19, 2007, 3:11pm

Hi nums,

Check your links with the DrWeb’s av hyperlink scanner plug-in for IE, FF, Opera, and also important always use the latest version of the MediaPlayer.

polonus

system · December 19, 2007, 3:14pm

Im not sure, I didn’t go to the link.

When I played the movie file, The video played, just that the only scene that was there, was it saying that it was blocked and that I needed to go to this link to download the codec. It was a .avi file.

–

Where can I download “DrWeb’s av hyperlink scanner plug-in”?

DavidR · December 19, 2007, 3:31pm

This is the area where it is possible to exploit the media player into loading a codec there is no guarantee that codec is what it says on the tin (so to speak), so the advice given by the others to always check is important.

DavidR · December 19, 2007, 3:36pm

It is a Firefox extension and you can also use this link, http://online.drweb.com/?url=1 and enter the URL for checking.

FreewheelinFrank · December 19, 2007, 3:40pm

There are .avi Trojan scams out there too:

http://en.wikipedia.org/wiki/3wplayer#DivoCodec

Do not download this codec!! It’s a Trojan horse.

polonus · December 19, 2007, 3:50pm

DrWeb’s hyperlink av scanner extension for various browsers. You can download one of the versions from here for IE, Firefox or Opera: http://www.freedrweb.com/browser/

Enjoy,

polonus

FreewheelinFrank · December 19, 2007, 4:02pm

Unfortunately, detection of these .avi Trojans seems to be poor: DrWeb doesn’t catch DivoCodec, neither does avast!

Antivirus Version Last Update Result
AhnLab-V3 2007.12.20.10 2007.12.19 -
AntiVir 7.6.0.45 2007.12.19 -
Authentium 4.93.8 2007.12.19 -
Avast 4.7.1098.0 2007.12.18 -
AVG 7.5.0.503 2007.12.19 -
BitDefender 7.2 2007.12.19 Trojan.Obfuscated.IB
CAT-QuickHeal 9.00 2007.12.19 -
ClamAV 0.91.2 2007.12.19 -
DrWeb 4.44.0.09170 2007.12.19 -
eSafe 7.0.15.0 2007.12.19 -
eTrust-Vet 31.3.5387 2007.12.19 -
Ewido 4.0 2007.12.19 -
FileAdvisor 1 2007.12.19 -
Fortinet 3.14.0.0 2007.12.19 -
F-Prot 4.4.2.54 2007.12.18 -
F-Secure 6.70.13030.0 2007.12.19 Trojan.Win32.Inject.on
Ikarus T3.1.1.15 2007.12.19 Virus.Trojan.Win32.Obfuscated.en
Kaspersky 7.0.0.125 2007.12.19 Trojan.Win32.Inject.on
McAfee 5189 2007.12.19 -
Microsoft 1.3109 2007.12.19 -
NOD32v2 2733 2007.12.19 -
Norman 5.80.02 2007.12.19 -
Panda 9.0.0.4 2007.12.18 Adware/Lop
Prevx1 V2 2007.12.19 Heuristic: Suspicious Self Modifying File
Rising 20.23.22.00 2007.12.19 -
Sophos 4.24.0 2007.12.19 -
Sunbelt 2.2.907.0 2007.12.19 -
Symantec 10 2007.12.19 -
TheHacker 6.2.9.164 2007.12.18 -
VBA32 3.12.2.5 2007.12.19 -
VirusBuster 4.3.26:9 2007.12.19 -
Webwasher-Gateway 6.6.2 2007.12.19 -

system · December 20, 2007, 2:05am

It was exactly like the pic below, except a different link and codec.

http://forum.avast.com/index.php?action=dlattach;topic=32136.0;attach=19897;image

I didn’t go to any links and didn’t download any codecs, so, hopefully nothing bad got on my comp >.<

DavidR · December 20, 2007, 2:31am

Yes this is the sort of thing I was on about the actual media file isn’t infected but trying to con you into downloading what you think is a codec when all it is likely to do is infect your system.

If you didn’t click to load the codec, you should be OK.

Another useful tool is the SiteAdvisor.com web site where you can also get some info on the validity/trust worthiness of the site, example for the divocodec.com site http://www.siteadvisor.com/sites/divocodec.com, so you can enter the site name and get a good idea of what it is about.

polonus · December 20, 2007, 8:15am

Hi nums,

The rising attractiveness of online video attracts the interest of malicious hackers and hi-tech criminals.Security firms are reporting more and more instances of infected Windows codecs - file compressors - required to play some video formats.

Some of the codecs let individuals play internet videos, but also have spyware and adware wrapped inside.

Others, say experts, are complete fakes that just want to contaminate the victims with spyware programs.

“Everyone is watching movies on their PC,” said David Robinson, UK head of security firm Norman Sandbox, “they are downloading the latest, greatest clips.”

While websites such as YouTube and Revver try to make it easy to watch video online, many of the downloadable clips posted on the web require extra software, called a codec, to play them.

Mr Robinson said many security firms were now logging cases in which spyware and adware firms are rolling out software bundles that claim to roll together many popular codecs or just have the one needed to play a particular clip.

Some of the codecs do help to play clips, but others are disguised as a variety of annoyance or malicious programs.

Some rogue codecs plague users with pop-up adverts, while others invisibly install keyloggers that try to grab private data.

Anti-spyware firm Sunbelt Software exposed one codec that became a program that found fictitious security problems on a PC and demanded payment to repair them.

Many downloads look benign when scanned with an anti-virus program, but, once installed, download updates from other websites that contain the malicious payload.

Mr Robinson said the growth of booby-trapped video codecs was just another example of how hi-tech criminals have moved on from the old days in which a virus only travelled by e-mail.

Now, he said, they sustain a diverse portfolio of attack methods and will tailor these to whatever is proving popular online.

Mr Robinson said his company Norman Sandbox, which analyses captured samples of malicious code, gets hundreds of new variants of malicious programs submitted to it every day.

David Emm, senior technology consultant at anti-virus firm Kaspersky Labs, said it was only a matter of time before virus writers turned to sites such as YouTube and booby-trapped popular clips with bugs.

“YouTube is almost by definition unregulated,” he said, and was ripe for exploitation by malicious hackers. “It gives an almost endless stream of stuff to tap into.”

Already spyware firms are known to be using the popularity of some clips on YouTube and social networking site MySpace to install their wares on the PCs of more victims.

Increasing numbers of malicious attacks were pegged to news or other events, said Mr Emm, which helped to catch people out.

The upcoming Christmas holiday is already being exploited by malicious hackers who are baiting websites with viruses and trojans.

polonus

Viruses in video files

Announcements