Can there be a virus in any filetype?

Discussion in 'NOD32 version 2 Forum' started by Mike415, Mar 19, 2005.

Thread Status:
Not open for further replies.
  1. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    Can a file such as an MP3, (actually an mp3) contain a virus that can do something to your computer? Or a JPEG? Like if you download it, then it says it will play with WMP or something, could it infect your computer?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The simple answer is yes.

    Pay attention to files with multiple extensions. Generally, the last extension is the relevant one. For example, a file named song.mp3.exe is an executable program (.exe) and not an MP3 file.

    If you are using Outlook Express and see a file with three extensions, Outlook Express may consider the second extension to be relevant, so that a file named song.mp3.exe.jpg is an executable program (.exe), it is neither an MP3 file nor a JPG file.

    Hope thsi helps...

    Cheers :D
     
  3. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    I know that, sorry I didnt clarify, I meant like actualy put it into a .mp3 file. Thats what I meant when I said it actually will open with Windows Media Player
     
  4. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Blackspear missed the point a bit. He pointed out the naming tricks used by malware writers,but not the issue itself :p

    Yes,malware can be in any format,but it useless in such form.
    If the program that was coded as .SCR is renamed to .MP3 (extension) it won't do any harm. WinAMP for example will just say it's not a supported audio format and denied the access. It's same with others (like EXE with .TXT extension).

    Other thng is specially crafted or exploited file,but that is not malware in correct word,but exploit. Good example is JPEG Exploit released not long ago.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Indeed I did on this one ;) :D I took the extension side rather than the file type itself.

    Cheers :D
     
  7. Happy Bytes

    Happy Bytes Guest

    Rajzor already said it a virus (or any kind of malware) could be included in every filetype. If it is beable to run is another question.

    This depends pretty much how the applications dealing with the filetypes.
    If you can produce bufferoverflows or other exploiting technologies then it would be possible to active such malicious included code.

    An other nice example are GIF pictures :D
    Did somebody know that the Header of some GIF files may contain 'code' which would execute under MSDOS as com-file ;) A com file starts execution at file offset 00h (the filestart) and doesn't care about any fileformat checking. That said it will execute until unknown opcode is reached.
    No comments anymore to this from my side :D
     
  8. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    To really be harmful to the system, the file must contain "something" that gets executed. However, while not every filetype is an executable, there are several things that one must be aware of: 1) macro support or other app-specific execution paths, 2) "buffer overflow" exploits, and 3) the possibility of re-naming.

    Macro support is problematic because it can be difficult to track just what constitutes an "executable". Most people don't think of Microsoft Word documents as executables, but they can contain macros and VBA (Visual Basic for Applications) code. Security errors and vulnerabilities in this macro support can allow malicious code to wreck havok through a document file. Microsoft Office products are just one example. Significant numbers of third party programs are increasingly adding macro support and rudimentary executable processing to their file formats for all sorts of reasons. Users cannot be expected to track all such executable pathways. Therefore, malicious code writers might be able to sneak in through some "back alley" executable path and/or file type that most people don't associate with executables.

    Buffer overflow exploits are perhaps the biggest and most insidious fear for most filetypes. If a program is coded incorrectly then even in a pure data file format, there might exist a path to force code execution. What happens is that if a program is not careful it might allocate a certain amount of space (a buffer) to a piece of data and then malware authors purposely throw in data that is too big for that allocated buffer. If done in a very precise manner these buffer overflows can result in the malware author being able to force code execution.

    File re-naming is a fairly obvious tactic, but can't be overlooked. If the malware writer can get you to rename a file either through social engineering or through some other automated exploit mechanism then a previously "benign" file format can quickly turn into an executable, "non-benign" file format. Along this re-naming line, it must also be remember that archive formats (zip, cab, rar, arj, etc.) can, of course, easily contain exectuables as well.

    Having said all of the above, though, in my own opinion it is not necessarily worth it to have a resident virus scanner scan every filetype upon access. It is a calculated risk I take because I feel that the risks associated with most non-executables filetypes are in reality quite minimal. I do scan every filetype on my on-demand scans, however. It's a personal choice, and there are arguments to be made on both sides.
     
Thread Status:
Not open for further replies.