I have been given a harddisk of random games, music, films, and software, and I’m wondering how to go about having a look at it.

As I understand it viruses can be hidden as all sorts of file, so how can hooking this HDD up to my computer infest my machine?

Can playing a virus hidden as an MP3 file do it? Would it only infect me if it is set to combine with a certain media player, and I use that media player to open it?

Will a scan with SAS, or Antivir (or both) suffice to check it? Will they scan compressed folders?

I guess I’m looking for a introduction to the basics of how infections come about.

Thanks for any help.

you can go here too learn more about infections and the methods some use but to but it in a 1 time post would be very hard and take a very long time.:blink: http://www.malwarehelp.org/methods-of-infection.html

Thanks Hyperflow, that link's the sort of thing I was after - some references to read about.

Unfortunately, the best person(s) to teach you about malware are the authors themselves. :-X

{QUOTE-> Unfortunately, the best person(s) to teach you about malware are the authors themselves. :-X <-QUOTE}100% true and i have been in that class room before unfortunately:dry:

Check out Calendar of Updates University:

http://www.dozleng.com/updates/index.php?showforum=128

Scoobs, maybe you could try forcing anything that runs from that drive to run sandboxed... but I can't remember if you can do that with the free version ???

I once downloaded a video file from limewire (cant remember the filetype), and when I played it in winamp it frozed and after that the file couldn't be deleted. Don't know if it was a virus, it was format time anyways so I didn't bother to find out.

Scoobs, look here:
- Malware Threats (http://wiki.castlecops.com/Malware_Threats)
- Understanding Computer Infections. Part I (http://wiki.castlecops.com/Understanding_Computer_Infections), Part II (http://wiki.castlecops.com/Understanding_Computer_Infections_-_Part_two) and Part III (http://wiki.castlecops.com/Understanding_Computer_Infections_-_Part_three).
- The Threats and Countermeasures Guide (http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en)

More to come :)

Scoobs

I did a scan with CureIt today on my girlfriend's laptop, and it flagged an mp3 file as being infected with a trojan.infector

Sadly I didn't had mi flashdrive with me, so I couldn't test it on my computer and have not idea of what it does or how it operates.

Read this:

Rogue MP3 Trojan streaks across P2P networks (http://www.theregister.co.uk/2008/05/07/mp3_trojan_blitz/)

and this:

http://www.wilderssecurity.com/showthread.php?t=208594

In-depth analysis by McAfee (http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant) :)

{QUOTE-> preview-t-3545425-changing times earth wind .mp3 <-QUOTE}

That was the one!

So, your girlfriend's laptop had the dropper but it's clean from the payload (the rogue app)?

Yes, I don't think she ever got to open that mp3.
She has NOD32 and BOClean real-time.
Today I performed 3 scans: CureIt, SAS and MBAM.
Found another couple of things but I don't think they where related to that mp3.
Maybe tomorrow I'll check NOD32 and BOClean's logs...

Interesting :)

A "MP3" containing a malware, even MP3's can't be trusted anymore. Indeed very interesting. I'm lucky I don't download that stuff anymore. I don't download much nowadays, I use internet more like a TV.

If this form of malware starts being popular, it would be a big help for anti-piracy. Hhhmmm new conspiracy anyone? ;D ;D

Anyways, whats more concerning is that this type of file would go directly to my data partition, and Returnil would do nothing about it....

Time to set up a new sandbox for winamp...

They're fake MP3s. They seem spoofed executables according to McAfee's analysis.

http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant
{QUOTE-> When a user attempts to load one of these MP3 and MPG files, they don't get the music/video they were hoping for; instead they're directed to download a file named PLAY_MP3.exe. <-QUOTE}It would be interesting to see how these rogue files were offered. Do people just click at random on any music/video file they encounter?

It doesn't make sense to me.

EDIT:

{QUOTE-> If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed. <-QUOTE}It's evident that this is a user problem, and not a remote code execution exploit.

Big difference, that the OP should consider in answers to his question about malware.

----
rich

{QUOTE-> It's evident that this is a user problem, and not a remote code execution exploit. <-QUOTE}

I agree, but malware can evolve with time... maybe in future we'll see real exploits in this form.
If I play an mp3 and a screen offers to download some exe, the answer will be an inmediate deny... but some people are just happy-clickers.

{QUOTE-> I agree, but malware can evolve with time... maybe in future we'll see real exploits in this form. <-QUOTE}Can you explain what you mean?

Why is this not a real exploit?

From the link quoted in MrBrian's post:

{QUOTE-> Since Friday, more than half a million Trojan horse programs disguised as media files have been detected on consumer PCs, according to McAfee Avert Labs.
This is one of the most prevalent pieces of malware in the last three years," said Craig Schmugar, a McAfee Avert Labs researcher, in an e-mailed statement. "We have never before had a threat this significant that arrives as a media file. <-QUOTE}


----
rich

I ment that this seems like an executable faked as an mp3. Maybe in future we'll see some mp3 which actually ARE mp3's and have some malicious code embedded.

I see what you mean.

Don't think that will actually make it easier to prevent?, since the malware can be automatically stopped from installing by a HIPS product, or Software Restriction Policies.

Meanwhile, this exploit in its present form isn't lacking for business!

----
rich

So I'm checking NOD32 logs at my GF's laptop.
Apparently the file was downloaded with LimeWire.
NOD32 detected it, but wasn't able to clean it and didn't quarantine it neither.

Some file named setup.exe located in the temp folder tried to access the file several times.
BOClean's log is empty.

{QUOTE-> I ment that this seems like an executable faked as an mp3. Maybe in future we'll see some mp3 which actually ARE mp3's and have some malicious code embedded. <-QUOTE}

The files used were Windows Media files that have the scripting capability to load a webpage. Some were misnamed as other files types such as mp3.

http://blog.threatfire.com/2008/05/risk-from-p2p-networks.html

Hello,
You disable scripts in Windows Media Player, problem solved.
Mrk