Hey all computer whizzes.
Is it possible for a non-executable file attachment to be infected? I am referring to things like bitmaps, jpegs and the like. Also, avi movies or MP3’s. I know word and excel can have macro viruses in them, can they have other types as well?
Thanks!
The recent lovebug virus worked by taking the name of a legitimate file, changing the contents to it’s own executable code, and adding the “.vbs” extension so it would run as a Visual Basic script. So the file could look like an image, but actually be executable virus code.
Technically an HTML attachment could payload a virus as well, but I am unaware of any in the wild. And you mentioned Word and Excel documents (which can contain .vbs scripts).
Otherwise, non-executable file attachments are pretty safe since they don’t actually instruct the computer to take any action–they need an executable program to make any sense of them, like Notepad.
No it didn’t. The lovebug was transmitted via a file named “iloveyou.txt.vbs”. Or something pretty close to that. It looked like a visual basic script to anyone who knew what a visual basic script was. People who didn’t know what a visual basic scripts was could make the mistake of thinking it was a text file. At that time I didn’t know what that visual basic scripts could be viruses or that they had the extension .vbs but I still didn’t open the iloveyou file sent to me with a file extension that I didn’t know to be safe.
To answer the OP, bitmaps, jpegs and mp3s and the like will not contain viruses. However, you can create a virus and name it BeaArthurNaked.jpg.exe and this could fool some people. Especially those anxious to see Bea Arthur Naked.
One particularly insidious thing about the iloveyou.txt.vbs scam is that you can turn off the disply of the extension in Windows. Thus, it would be displayed as iloveyou.txt and you wouldn’t notice it was something different by the name (though the icon would be different).
There’s also one particular extension that never displays in Windows unless you edit the registry.
However, for a file to spread a virus, it must be executable (i.e., a program). Graphics and MP3s are not programs and “virus” embedded in them would merely be displayed as gibberish and have not effect.
Picky, picky. The original “Lovebug” didn’t, but some of its subsequent variants did. I remember seeing files here like your “BeaArthur” example, only with .vbs as the real extension.
“bitmaps, jpegs and the like. Also, avi movies or MP3’s”
No, not that I know of.
It would be possible to take an executable or VBS file and rename it as something.jpg or something.MP3. Later, a small triggering program could rename this file back and start it running. I thought that’s what the Love Bug virus was doing. The most annoying side effect was that it would destroy your MP3s and images.
It would be possible to take an executable or VBS file and rename it as something.jpg or something.MP3. Later, a small triggering program could rename this file back and start it running. I thought that’s what the Love Bug virus was doing. The most annoying side effect was that it would destroy your MP3s and images.
Actually, it is quite possible to hide executable code in all sorts of random files with tricky ways to get it to execute. Here’s an example that recently happened: JPEG image files contain an internal “comment” field that’s used to store text information about the image (who made it, copyright, etc.). The field is basically ignored, but programs that display JPEGs have to parse it anyway. I don’t remember the details, but somebody figured out a way to cause a buffer overflow in many implementations that would execute code stored in the comment. Pretty devious. If you have an older version of Netscape or IE you’re probably vulnerable to it, although I’ve never heard of it actually being exploited.
A buffer overflow or format string vulnerability that can be exploited by user input can exist in any program, but it’s important to note that this is strictly a flaw of that program. Just because some program handles, e.g., JPEG comments unsafely doesn’t mean that there’s anything inherently dangerous about JPEGs or whatever.
Virus code can be attached to pratically any file. For the virus to spread, there has to be a mechanism to execute this code. For file types like jpgs, bmps, and mp3s to spread a virus, there needs to be a bit of code in the application that reads these file types that executes this embedded code. Since there is no earthly reason to facilitate this except to propagate viruses, you’re pretty safe. BTW, this is the same reason why most email viruses are hoaxes. Mail readers don’t execute embedded code. Microsoft mail servers do, and this was one of the mechanisms that facilitated the spread of the lovebug and similar vbs viruses. Also, I’m told that Microsoft Outlook could be configured to automatically execute attached vbs scripts, which would be an exception to my statement that mail readers don’t execute code… but Microsoft loves exceptions… which is the main reason I don’t use Outlook or Internet Explorer and I constantly curse the funky behavior of the Office Suite…
I think the example cited by Bobort would be technically a trojan horse, since there was no spread of infection - just an unhappy surprise. I could be wrong, since I’m not familiar with this particular incident.
i don’t think that was due to the code actively changing a file, but just people trying to spread by renaming the ‘beaarthur’ part.
Here’s the Norton write-up on the LoveLetter Virus. (Well technically it’s a worm, but you get the idea.) There are 29 recorded variants there–note that many say that files are overwritten. I don’t remember which variant(s) hit my company, but I know some of our users fell for the trick and lost files that needed to be restored from backup, assuming they had one.
From the Norton link:
So according to Norton, the original version did overwrite files, as I stated at the very beginning. In fact, it appears all of the variants overwrite at least some files, though the extensions it touches vary.
In order to release (not merely contain) viral code, a computer file must contain instructions that either the OS or an individual application (program) running under it will interpret as instructions to go DO something.
On the PC platform, the OS reacts to a file depending on its extension (.vbs, .exe. .bat, .doc. .xls, etc); you could have a file chock full of viral code, put the “.jpg” file extension on it, and the OS would try to open it as an image (and would probably fail since it wouldn’t make sense as an image). Since most image viewers (Photoshop, Paint Shop Pro, etc) aren’t set up to engage in activity directed by instructions embedded in the files they open, viral code in a .jpg file (even if it were an image file) would for the most part lie dormant. (Exceptions that depend on tricking the application by overflowing its buffer have already been described above). You could make the same case for multimedia files (.mov, .avi, .mpg), sound files (.snd, .wav, .aif, .mp3), and plain text files (.txt).
On platforms that do not rely on (or solely upon) file extensions to indicate to the OS what to do with the file, a live, executable viral file could have any name you wanted to give it. A Mac virus could be in a file named OpenMe, or LoveLetter.txt, or NakedBeaArthur.jpg when it actuality it was an application (directly executable Mac program), a compiled AppleScript, a Java executable, an Excel or Word file with embedded (viral) macros, etc. However, in order to be executable in this fashion on a Mac, the file would have to have the four-character file type and (if not APPL) file creator which tell the OS what to open it with (APPL, aplt; XLS5, XCEL; etc), and this would cause the attachment to announce its basic file type by the type of icon it displays with. (Windows does this too–I assume text files do not have icons that look like visual basic .vbs files, and that the loveletter virus file would have shown such an icon).
To embed a virus in, let’s say, an MP3 file, you’d first have to have at least one popular MP3 player out there that was set up to do more than send the decompressed sound wave code to your audio output devices. But if someone (let’s say Microsoft, for instance :rolleyes:) were to decide to package a built-in MP3 player with every copy of the OS and that MP3 player were capable of responding to suddenly optional scripts in MP3 files that could direct it do things like changing the volume or switching its “skins” when the song came on, you then have opened the doors for a possible MP3 virus.
The wicked evil viruses of the last couple years have all spread via Microsoft Outlook, which was set up to respond to certain scripted commands by forwarding a given message to everyone in the associated MS Outlook Address Book; and which was set up to try to automatically open and display a wide range of types of attachments inline, thus saving the end user the hassle of downloading it to the Desktop and double-clicking it there. Most of these virii could infect a PC user who used Eudora or ccMail, but it required more intentional behavior on the part of the user and would not then automatically spread to other victims based on the current victim’s address book.
In light of this-- why the bloody hell so many businesses continue to standardize on Outlook is entirely beyond me.
thanks for the informative replies everyone!
On the other hand, I’m sorry I ever started this thread for 3 simple words:
Naked Bea Arthur.
ARRRRRRGGGGGHHHHHH!!!
In the latest very funny attack, what retset the browser’s homepage?
Oh, I think we all are.
“Part of me is dead. Part of me is gone forever…” - Crow
AHunter3:
Just for the record (and I know you know this Hunter) the “OpenMe” file or whatever is not the virus itself. This would be an example of a trojan horse launching a virus.
YIKES! Don’t give them any ideas…