Infected song file?

Discussion in 'ESET NOD32 Antivirus' started by funkydude, Sep 12, 2008.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I'm pretty well versed in knowledge of IT and computers and such, so I have my security and updates / etc. I trust it to the point I don't do virus scans, I just leave it to eset's background scanner, because I don't really do much on this pc at all.

    I'm a little woried though, the main thing this pc has is music, so you can imagine my confusion when suddenly one of my songs becomes flagged as a "possible" trojan. I'm thinking, wow, the first ever false positive I've had with eset in over 5 years or so and it's a song? I dig a little deeper with virustotal:

    Old Results: http://www.virustotal.com/analisis/95c5fc2f91096145e638e39a329a79d8
    Makes me think it's a false positive, but...

    New results from 5 minutes ago:
    http://www.virustotal.com/analisis/e42ef607ae60d9f80190568ba2f1dd6b
    17/36? I've played this song many a times in foobar, and I know my system is clean, so what exactly is going on here?

    Some info:
    mp3 file
    vista sp1
    ESS latest

    I have a copy of the file if need be.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send the file to samples[at]eset.com in an archive protected with the password "infected" and this thread's url in the subject. Also please enclose a log from ESET SysInspector.

    The name of the threat indicates that it's a PE exexutable file, not an mp3. We detect infected mp3's as Getcodec.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Hi Macros, thank you for the reply. I've sent the file and a log to the address you gave me with the title "For Marcos / Wilders | Song File".

    I can assure you it is an mp3 file, I'm hoping it's just a false positive, I really need some reassurance. :)
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As I said, it's not mp3, but an executable with PE header. The log from ESI seems to be cleaned so maybe you happened to run a trojan that replaced mp3's on your disk with its executable. I'll try running it on a replicator when I get to the office next week.
     
  5. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Marcos is right... virustotal says it's a PE executable and as far as I know MP3's dont' come packed with UPX (an executable packer) ;)

    The detections are almost certainly correct.


     
    Last edited: Sep 13, 2008
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
  7. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    It might play music...but it's not an mp3 file. The virustotal results show that it is infact an executable file (.exe) that has probably been renamed. MP3 files certainly don't come packed with UPX. What I was trying to get at is that the detection by ESS is almost certainly correct.

    You could try uploading it to the ANUBIS sandbox and seeing what it tells you about it's behaviour when executed: http://anubis.iseclab.org/
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Sorry, I managed to completely miss your post. Just to clarify, this pc has never been infected in any shape or form, I acquired this song file in it's current format.
     
  10. DooGie

    DooGie Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    112
    As previous posters have said, your mp3 may look the same to you but it isn't in it's previous state anymore.
    It has been modified by a virus.
    You say your pc has never been infected in any shape or form. How can you be certain of that?
    The answer is you can't. What makes you so certain that your pc has never been infected?
    I feel it's better to err on the side of caution.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I have been working with computers most of my life, that's how I know, I keep track of my pc like every every bit of a watch.

    The file has not been modified in any way, it is in the shape it always was. It's eset that has updated.
     
  12. krypton_harsh

    krypton_harsh Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    84
    just check this out....

    try to see the super hidden files on u'r computer on that particular folder where u;r song is...

    there was a trojan which used to hide the actual .mp3 and replace by samename.mp3.exe trojan when clicked executes trojan as well as song.. so u dont notice the trojan executed..

    i hope u know how 2 see the super hidden files

    1. tools > folder options > view > show hidden files and folders

    2. tools > folder options > view > hide protected operating system files (untick)

    and there u check it and reply..
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Hey, thanks for the reply krypton. Actually hiding of file extensions is one of the first things I turn off in windows, I can't stand it. Also, ESS shows the full extension of the file in it's quarantine, as shown in my earlier screenshot.

    What I'm trying to say is this pc has never been infected, the file is in the state it always was, the only real solution is it was changed before it was on my pc, but I've played it via foobar a few times without realizing it until one of eset's latest updates flagged it. It seems pretty harmless when played as a song file, and could probably keep playing it without a worry.
     
  14. krypton_harsh

    krypton_harsh Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    84
    can u upload it via rapidshare.com and pm it to me.
    lemme have a look at it,
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Any particular reason?

    Any conclusion of this? :)
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Bump? :/

    I personally don't think this should be detected at all unless the file is in executable format, as it's harmless as mp3, as I'm sure you've found out if you've tested it.
     
  17. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    It looks like it just won't run from anubis, that being said, it probably links over to an exploit website, However impossible to say without looking at the file itself

    Also, just because it's not a .exe doesn't mean it's not malicious, just cause you don't think it should be detected, it certainly won't be removed if it's malicious
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    In mp3 form the file is not malicious in any way, anyway, still awaiting your analysis Marcos.
     
  19. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Hello funkydude800. You may have an undetected getcodec trojan in your PC that infected your mp3 file. When you uploaded your mp3 file to VirusTotal did you put it inside an archive? If not then the trojan is modifying it (or you redownloaded the same song and then reinfected?) because its hash changes,

    First upload:
    95c5fc2f91096145e638e39a329a79d8
    Second upload:
    e42ef607ae60d9f80190568ba2f1dd6b

    Play the mp3 using Windows Media Player. See if a prompt asks you to download a codec. But from your Anubis report it seems the trojan was buggy and didn't ran as expected by the coder.

    Here's a good read on the trojan by Marco of Prevx.

    Regards,
    thanatos

    EDIT:
    My bad, I mistook the random characters of the VT URL as the md5 hash :oops:. I opened the links now and saw both links show the same md5. The mp3 file might have been replaced by a PE as Marcos stated. funkydude800, where did you download the mp3 anyway?
     
    Last edited: Sep 24, 2008
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you don't believe that the file you've sent cannot be played, here's a screenshot of what happened when I tried to open it in Windows Media Player:
     

    Attached Files:

  21. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Was it trying to exploit the recent vulnerability that was patched with KB954156?
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Never thought about that.


    I must admit, I've only ever played it in foobar2000.
     
Thread Status:
Not open for further replies.