Infected song file?

I'm pretty well versed in knowledge of IT and computers and such, so I have my security and updates / etc. I trust it to the point I don't do virus scans, I just leave it to eset's background scanner, because I don't really do much on this pc at all.

I'm a little woried though, the main thing this pc has is music, so you can imagine my confusion when suddenly one of my songs becomes flagged as a "possible" trojan. I'm thinking, wow, the first ever false positive I've had with eset in over 5 years or so and it's a song? I dig a little deeper with virustotal:

Old Results: http://www.virustotal.com/analisis/95c5fc2f91096145e638e39a329a79d8
Makes me think it's a false positive, but...

New results from 5 minutes ago:
http://www.virustotal.com/analisis/e42ef607ae60d9f80190568ba2f1dd6b
17/36? I've played this song many a times in foobar, and I know my system is clean, so what exactly is going on here?

Some info:
mp3 file
vista sp1
ESS latest

I have a copy of the file if need be.

 

Please send the file to samples[at]eset.com in an archive protected with the password "infected" and this thread's url in the subject. Also please enclose a log from ESET SysInspector.

The name of the threat indicates that it's a PE exexutable file, not an mp3. We detect infected mp3's as Getcodec.

 

Hi Macros, thank you for the reply. I've sent the file and a log to the address you gave me with the title "For Marcos / Wilders | Song File".

I can assure you it is an mp3 file, I'm hoping it's just a false positive, I really need some reassurance.

 

As I said, it's not mp3, but an executable with PE header. The log from ESI seems to be cleaned so maybe you happened to run a trojan that replaced mp3's on your disk with its executable. I'll try running it on a replicator when I get to the office next week.

 

Marcos is right... virustotal says it's a PE executable and as far as I know MP3's dont' come packed with UPX (an executable packer)

The detections are almost certainly correct.

 

I'm not sure what you're trying to get at. I've played this song myself, it plays music, as I stated in my first post.

http://img505.imageshack.us/my.php?image=musicko8.jpg

 

It might play music...but it's not an mp3 file. The virustotal results show that it is infact an executable file (.exe) that has probably been renamed. MP3 files certainly don't come packed with UPX. What I was trying to get at is that the detection by ESS is almost certainly correct.

You could try uploading it to the ANUBIS sandbox and seeing what it tells you about it's behaviour when executed: http://anubis.iseclab.org/

 

Ah I see, thanks for explaining, anubis seems to support this also: http://anubis.iseclab.org/result.php?taskid=c56dae97e85fd674bdcef569afeced17&refresh=1

I just wonder though maybe eset could give a little more info on this file instead of just removing it as a trojan, as it seems to be harmless as mp3.

 

Sorry, I managed to completely miss your post. Just to clarify, this pc has never been infected in any shape or form, I acquired this song file in it's current format.

 

As previous posters have said, your mp3 may look the same to you but it isn't in it's previous state anymore.
It has been modified by a virus.
You say your pc has never been infected in any shape or form. How can you be certain of that?
The answer is you can't. What makes you so certain that your pc has never been infected?
I feel it's better to err on the side of caution.

 

I have been working with computers most of my life, that's how I know, I keep track of my pc like every every bit of a watch.

The file has not been modified in any way, it is in the shape it always was. It's eset that has updated.

 

just check this out....

try to see the super hidden files on u'r computer on that particular folder where u;r song is...

there was a trojan which used to hide the actual .mp3 and replace by samename.mp3.exe trojan when clicked executes trojan as well as song.. so u dont notice the trojan executed..

i hope u know how 2 see the super hidden files

1. tools > folder options > view > show hidden files and folders

2. tools > folder options > view > hide protected operating system files (untick)

and there u check it and reply..

 

Hey, thanks for the reply krypton. Actually hiding of file extensions is one of the first things I turn off in windows, I can't stand it. Also, ESS shows the full extension of the file in it's quarantine, as shown in my earlier screenshot.

What I'm trying to say is this pc has never been infected, the file is in the state it always was, the only real solution is it was changed before it was on my pc, but I've played it via foobar a few times without realizing it until one of eset's latest updates flagged it. It seems pretty harmless when played as a song file, and could probably keep playing it without a worry.

 

can u upload it via rapidshare.com and pm it to me.
lemme have a look at it,

 

Any particular reason?

Any conclusion of this?

 

Bump? :/

I personally don't think this should be detected at all unless the file is in executable format, as it's harmless as mp3, as I'm sure you've found out if you've tested it.

 

It looks like it just won't run from anubis, that being said, it probably links over to an exploit website, However impossible to say without looking at the file itself

Also, just because it's not a .exe doesn't mean it's not malicious, just cause you don't think it should be detected, it certainly won't be removed if it's malicious

 

In mp3 form the file is not malicious in any way, anyway, still awaiting your analysis Marcos.

 

Hello elapsed800. You may have an undetected getcodec trojan in your PC that infected your mp3 file. When you uploaded your mp3 file to VirusTotal did you put it inside an archive? If not then the trojan is modifying it (or you redownloaded the same song and then reinfected?) because its hash changes,

First upload:
95c5fc2f91096145e638e39a329a79d8
Second upload:
e42ef607ae60d9f80190568ba2f1dd6b

Play the mp3 using Windows Media Player. See if a prompt asks you to download a codec. But from your Anubis report it seems the trojan was buggy and didn't ran as expected by the coder.

Here's a good read on the trojan by Marco of Prevx.

Regards,
thanatos

EDIT:
My bad, I mistook the random characters of the VT URL as the md5 hash . I opened the links now and saw both links show the same md5. The mp3 file might have been replaced by a PE as Marcos stated. elapsed800, where did you download the mp3 anyway?

 

If you don't believe that the file you've sent cannot be played, here's a screenshot of what happened when I tried to open it in Windows Media Player:

 

Was it trying to exploit the recent vulnerability that was patched with KB954156?

 

Never thought about that.

I must admit, I've only ever played it in foobar2000.