PDA

View Full Version : Can a .wmv file have a virus/trojan/worm?


Revtim
10-30-2005, 02:23 PM
Is it possible for a .wmv file to infected with malware? Is there an instructional payload in this file format that could hold a virus, or it is purely media data?

Revtim
10-30-2005, 02:32 PM
Also, same question about .mov files.

AHarris
10-30-2005, 02:40 PM
Yes, .wmv and .mov files can transmit viruses etc.

.wmv - WMV (Windows Media Player) trojan in wild (http://msmvps.com/donna/archive/2005/01/13/31831.aspx)
.mov - New security vulnerability threatens Tiger (http://www.macnn.com/articles/05/05/12/tiger.qt.exploit/)

Any file format could be used to transmit a virus as long as the application that runs them has exploitable vulnerabilities.

ftg
10-30-2005, 02:42 PM
The only known threat in wmv files that I currently know of is an exploit based on host misdirection. The file contains info on where to go to check on things like digital rights. You are sent to a web site loaded with malware which comes in via Internet Explorer (which you might not even notice was running). The misdirection part comes in when the site the software thinks it's looking up is on a safe list, but the actual site is another one entirely. Note that this is a problem even if you use a safer browser.

MS has been aware of this for some time and many of the "security" patches for MS-Windows Media Player deal with issues such as these. So keep your Media Player updated, or better yet, don't use it. Best of all, don't download/use wmv files (I don't). Stick to straight mpeg formats.

Note that there are usually a lot of undiscovered flaws in programs that handle media files which are found out once in a while and exploited. E.g., there have been 2 buffer overflow flaws found in the zlib library in recent years. zlib is used by a lot of programs. So viewing the wrong gif file with an unpatched zlib library could lead to Bad Things.

I cannot comment on mov files. I again much prefer mpeg.

Revtim
10-31-2005, 10:11 AM
Thanks!

GorillaMan
10-31-2005, 10:17 AM
Also there's the simple trick used by some viruses for making email attachements look innocuous, of using a filename such as

Britney nude.wmv .exe (with all those spaces).

The .exe part doesn't necessarily appear on screen, and if your email client will let you open an executable attachement without warning, you could be fooled. Unless you don't want to see Britney naked, of course.

Mangetout
10-31-2005, 10:23 AM
I'm curious about this too; I use a filesharing application to download pre-current versions of freeware - for example I used a freeware Activex control called CPVSlider in the past; the author has since rewritten it as a VB Usercontrol and I simply couldn't get it to work like this - file sharing networks turned out to be the only place I could find a copy of the old OCX version.

But amid my search, I turned up a whole load of false positives; there were the obvious ones (a zip file containing an executable that was identified as a trojan by my virus guard), but there were some wmv results and even some mp3 results - to my knowledge, an MP3 can't contain malware, but I didn't download it just in case - what's the deal here?

Revtim
10-31-2005, 11:00 AM
But amid my search, I turned up a whole load of false positives; there were the obvious ones (a zip file containing an executable that was identified as a trojan by my virus guard), but there were some wmv results and even some mp3 results - to my knowledge, an MP3 can't contain malware, but I didn't download it just in case - what's the deal here?That's the situation that prompted me to open this thread. On a network I use, if you search for "foo", you get a bunch of results from somewhere with names like:

Naked chicks in the pool (foo).wmv
Upskirt camera (foo).wmv

and so on. They might simply be ads, but I was wondering if there could be a virus/trojan as well. Looks like there could be, at least indirectly, as described by the responses in this thread.

Mangetout
10-31-2005, 11:13 AM
In my particular case, the search results were:
CPVSlider.ocx (the genuine file)
CPVSlider.zip (containing setup.exe, which turns out to be a trojan)
CPVSlider.wmv and CPVSlider.mp3 - neither of which I tried downloading.

The file I'm searching for is so obscure, I have to wonder if the fake/malware search results aren't being created on the fly in response to my actual search.

Revtim
10-31-2005, 11:17 AM
I'm pretty sure they are being created on the fly, certainly in my situation and very likely in yours as well.

Mr2001
10-31-2005, 03:55 PM
The only known threat in wmv files that I currently know of is an exploit based on host misdirection.
There's also a social engineering threat. Some WMV files require you to obtain a license before you can watch them, which means using a little browser window to do something or other - sign in to an account, enter a credit card number, watch an ad, etc. Any type of browser exploits or misleading banner ads you might find on a regular web page might also be present on that page.

Even when there's nothing overtly malicious on the license page, you're still connecting to the server and letting someone know you're watching the video. Some of the WMV files I've seen don't require an account or payment, they just open a page and then you can click a button to start the video. Why would they bother with the DRM at all in that case? I can only suspect they're up to no good.

Best to stick to MPG or AVI files. With those, you know what you're getting.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright 2018 STM Reader, LLC.