Good evening, I would need two clarifications: 1) How to check if MBR of my hdd system is clean (or infected)? 2) Files with innocuous extensions such as .reg .sim .jpg .dat .xml etc, may contain and/or transmit malware? Thanks.
1) Scan with RogueKiller RogueKiller Official tutorial -> MBR TAB http://www.adlice.com/softwares/roguekiller/roguekiller-official-tutorial/ or Avast Anti-Rootkit, etc.
All of those can potentially be used to deliver malware or serve as components of malware. Several years ago, JPGs were being actively used for just that purpose. A .reg file that removes the startup entries for security apps would be another example.
Unless you're using an outdated version of popular software to open them, the contained malware are highly unlikely to execute and will usually result in a corrupt file.
I've just used Avast aswMBR, but unfortunately can not finish the scan because it always crashes ....and strangely the crash always occours when it scan the folder C: \ Windows \ assembly However, at beginning of scan report, I can read: "Windows 7 default MBR code" and "disk0 default boot code". So I hope that my hdd is ok, and that MBR is clean .... right?
Any scanner is almost certainly only going to check if the MBR contains files that match the MD5 of known malware, which I don't think is particularly effective. A .reg is a registry file which can screw up all sorts of important settings, for example disabling Task Manager. Pretty much any file imaginable can contain some sort of exploit.
That statement would apply to known exploits. With new ones, who knows. Office file formats are still regularly used to deliver malware. Several in that list are text files, reg, xml, many dat files. To that you can add .bat, .ini, hta, all script formats, and others. Plain old text files can be nasty if the file extension gets changed. Internet Explorer used to treat hta's like trusted sites, no matter what they did or where they connected to.
Beware, even .txt files can contain malware! An example is discussed in the following blog post: http://hexatomium.github.io/2015/03/31/why/
I experienced the same issue, it stopped (not crash) in assembly folder. I found some others also experienced it. I temporarily blocked access for the folder by old version of Toolwiz TimeFreeze and it worked, but Avast should fix this. As krustytheclown2 said, most scanner checks MBR for known bootkit and its derivations (heuristics) tho not by MD5, but good scanner also compare behavior btwn through OS and through direct disk access upon system boot as well as nerwork activity, so saying they can only detect known bootkit is bit too much. Other than disguised extension, any extension can hide malware as steganography but attacker needs another executable or script to launch those hidden malware. It's true any file types can contain exploit but exploit is not malware, and practically what J_L said is true as 0day exploit is rare unless you're targeted by skilled attacker. Disclaimer: I'm not an expert.