can video files be a virus?

Quatro · June 5th, 2003

well my sister was downloading a video file over kazaa. and when I do my regular virus scan, the scanner detected it to have some sort of virus! is it possible? the download is not yet finish and I haven't decided to delete it or what...

Gamer1 · June 5th, 2003

yes it's possible, you can put a virus over anything.

Quatro · June 5th, 2003

argh... what are win32 Hanater(?) virus? are they worms? I tried looking for the virus info but couldn't find one...

cperezprg · June 5th, 2003

to Gamer1. This is the first new I read about virus in videos.
How did you know? Did you read it somewhere on the web? Can you post a link?

I also download many videos, and I want to know more about this.

Thanks!

Quatro · June 5th, 2003

well I had my regular virus scan and spot this virus( the virus I posted above but not sure if I have typed it correctly) and I browse for that file... its a video file and the download is not yet complete but its already at 10Mb ++... I can't determine the filename at the moment because there are similar video files that I'm downloading that have the same filesize...

but the video files I'm downloading are Love Hina and a music video of F4 (my sister's)

N1ghtw0lf · June 5th, 2003

I'de think if they can make a virus that can be put on your computer by viewing a picture on a webpage...they can put on in a video file...and virus's can ahve any extension diguised on them so yes...as long as im not prove wrong by a genius...i'de say yes...definately

Shin_Gouki · June 5th, 2003

hm it would be VERY difficult to find the diffrence between real video file or Virus modified video file...There should be some kind of checksum which indicates that if there is any "abnormal data" normaly header + video data it self can be identifeid quit easy.
e.g .avi is a windows video contaiener... hm if you have resolution from video codec.. may be you can calculate... ..ah it´s too hot i need a break

wbr Shin Gouki

Galway no Sora · June 5th, 2003

I never heared about video containing virus. The one I know is a file name that most likely a video but actually after you activated the "long file name" extension, it will revealed the true extension of the files. Eq : video.avi --> video.avi.exe.

Correct me if I'm wrong. Hope this can help.

cperezprg · June 5th, 2003

I agree. It's obvious that a video can be manipulated because it's data. But a Virus must be activated. It activates when you launch a .exe or with MS Office's Macros (due to a bug).

But in a video, it seems difficult. The only think I can imagine is that the videoplayer has a bug (like MS Office) and a virus can use it. But this is also rare, because a normal player is reading the information of the file and translating it to show the movie, not executing that information (like EXE or Macros).

**JNS** · June 5th, 2003

hi!

Theoretically it's not possible, that a virus get executed while watching a movie. The same counts for any other file, which doesn't get executed (like txt-files, jpg's, bmp's, tif's, mp3's and whatever), since the processor (the player-program) does not execute the content of the file.
On the other side, the data of the file could be manipulated, so that a specific (badly coded) player, interpret the data wrong and cause a buffer overflow. This buffer overflow could be used to get the virus-code executed on the computer.
But i think the chance that someone use such a bug in a player, to get a virus executed on your computer is very very small ... i assume that's just a badly coded virus-detection routine in your antivirus program, which interpret the video-data wrong.

Cu, JNS
---
http://www.emucheater.com
http://cyberpad.psxemu.com

dukenukem · June 5th, 2003

load the incomplete avi file into virtualdub and see what it says and see if there is any video in it.

**Demigod** · June 5th, 2003

Quote:

Originally posted by Gamer1
yes it's possible, you can put a virus over anything.

Viruses need to be executed for them to do anything and as such, they need to be in an executable file. It's like a game or application. You need to run the executable to make them work or even do anything. But as JNS stated viruses can be executed if the input file were to cause a buffer overflow and write the code into memory. However, as he also stated the chances of that are extremely small. The virus coder would have to know the exact input buffer size of the player, otherwise it won't do anything. I agree with JNS, the anti-virus program is probably just messing up. There is some genuine code that look like a virus (programs that overwrite drivers or OS files or do other potentially dangerous things) but it's not really a virus.

Gamer1 · June 5th, 2003

I did state that it is possible didn't i?

That's why i don't trust kazaa w/o a virus scanner. Thank god for pc-cillin.

Quatro · June 6th, 2003

well it still registered as a virus... I haven't got any luck to know what the virus means... and it can't be cleaned... and no .ave.exe extension... I'll update you guys when I found out more...

**aldo** · June 9th, 2003

Some video formats (like the ones from Microsoft) allow to have internal tags with URL that will open automatically when the video is played in a popular player (like Windows Media Player) that can interpret those tags.

Some of those URLs could open a web page containing some kind of virus in javascript, exploit some bug in the browser, create some cookies with spyware, install some unsigned plugin or malware with virus, among other side effects.

So, the answer is YES, it is possible to get a virus from a regular video or audio file. But it depends of the player that you use.

The method of infection is the same as if you browse directly to the URL containg that virus code.

Galway no Sora · June 9th, 2003

Basically, do not open any files directly from the net. Download them, scan them and if found one, delete it.

Quatro · June 9th, 2003

well I'm waiting for the file to finish to determine what file it is... I thanks aldo... now we know that video files could be also be infected...

just need some help:

I've been trying to fine what kind of virus it is but to no avail.. so can someone please help me find what win32/hanater virus is? thanks...

cperezprg · June 9th, 2003

Maybe it's not a video. It can be a executable file with its extension renamed to .avi, so the virus scan has found that virus pattern inside the file.

In this case, when you'll try to open the file, the video player won't start the movie (because it isn't a video), and the virus won't be activated because it hasn't been launched like an .exe file

Quatro · June 9th, 2003

> Maybe it's not a video. It can be a executable file with its extension renamed to .avi, so the virus scan has found that virus pattern inside the file.

at 10mb ++???

cperezprg · June 9th, 2003

>>at 10mb ++???

You can't never find out if a file has a virus by its filesize. It can be filled with dummy bytes.

I have also searched information about that virus and I've found nothing.

What is your virus scanner? Have you check spelling?

June 5th, 2003	#1 (permalink)
Quatro c3rTifiEd V@mpIr3 Join Date: Mar 2002 Location: Laguna Posts: 8,295	can video files be a virus? well my sister was downloading a video file over kazaa. and when I do my regular virus scan, the scanner detected it to have some sort of virus! is it possible? the download is not yet finish and I haven't decided to delete it or what... __________________ BE ONE OF US I JOIN THE WOLF CLAN - when you think that you have accomplish so much, many think of it as so little...

June 5th, 2003	#2 (permalink)
Gamer1 Anti-Brand Loyalist Join Date: Mar 2002 Location: Its too dark to tell... Posts: 3,237	yes it's possible, you can put a virus over anything. __________________ Iris: (Proc:Intel Pentium4 2.8Ghz w/ HT UNLOCKED @ 15x200) (Mobo: Asus P4C800-E) (RAM: Corsair XMS 2x512MB DDR400) (HDD 1: Seagate 80GB, 8MB Buffer, 7200 RPM) (Disk Drive 1: Lite-On 16x DVD Burner 1673S) (GFX Card: Radeon 9800 All-In-Wonder Pro 128MB) (Sound Card: Sound Blaster Audigy) Morrigan: (Proc:AMD Athlon 2500+ @ 11x200) (Mobo: Asrock K7V88) (RAM: Corsair XMS 512MB DDR400) (HDD 1: Seagate 80GB, 8MB Buffer, 7200 RPM) (Disk Drive 1: NEC 16x DVD Burner 3200AG) (GFX Card: Radeon 920064MB) (Sound Card: Sound Blaster Live! 5.1)

June 5th, 2003	#3 (permalink)
Quatro c3rTifiEd V@mpIr3 Join Date: Mar 2002 Location: Laguna Posts: 8,295	argh... what are win32 Hanater(?) virus? are they worms? I tried looking for the virus info but couldn't find one... __________________ BE ONE OF US I JOIN THE WOLF CLAN - when you think that you have accomplish so much, many think of it as so little...

June 5th, 2003	#4 (permalink)
cperezprg Rainmaker Join Date: Mar 2003 Location: Murcia, Spain (Europe) Posts: 129	to Gamer1. This is the first new I read about virus in videos. How did you know? Did you read it somewhere on the web? Can you post a link? I also download many videos, and I want to know more about this. Thanks! __________________ --------------------------------------------------------------------------------------------------- Pentium III 1Ghz, MSI GeoForce 4, Windows 2000 Pro Pete's OpenGl Driver 1.71 Internal ePSXe SPU or Pete's DSound 1.15 Internal ePSXe W2K CDR or SaPu's CD-ROM 1.0 Bios scph 7502

June 5th, 2003	#5 (permalink)
Quatro c3rTifiEd V@mpIr3 Join Date: Mar 2002 Location: Laguna Posts: 8,295	well I had my regular virus scan and spot this virus( the virus I posted above but not sure if I have typed it correctly) and I browse for that file... its a video file and the download is not yet complete but its already at 10Mb ++... I can't determine the filename at the moment because there are similar video files that I'm downloading that have the same filesize... but the video files I'm downloading are Love Hina and a music video of F4 (my sister's) __________________ BE ONE OF US I JOIN THE WOLF CLAN - when you think that you have accomplish so much, many think of it as so little...

June 5th, 2003	#6 (permalink)
N1ghtw0lf Crasher of Castles Join Date: Nov 2002 Location: Missouri Posts: 6,836	I'de think if they can make a virus that can be put on your computer by viewing a picture on a webpage...they can put on in a video file...and virus's can ahve any extension diguised on them so yes...as long as im not prove wrong by a genius...i'de say yes...definately __________________

June 5th, 2003	#7 (permalink)
Shin_Gouki Registered User Join Date: Jan 2003 Location: Europe / Germany Posts: 773	hm it would be VERY difficult to find the diffrence between real video file or Virus modified video file...There should be some kind of checksum which indicates that if there is any "abnormal data" normaly header + video data it self can be identifeid quit easy. e.g .avi is a windows video contaiener... hm if you have resolution from video codec.. may be you can calculate... ..ah it´s too hot i need a break wbr Shin Gouki

June 5th, 2003	#8 (permalink)
Galway no Sora ~¤ PanZeR ¤~ idRO Thor Join Date: Mar 2003 Location: Valhalla, in Odin's throne Posts: 3,145	I never heared about video containing virus. The one I know is a file name that most likely a video but actually after you activated the "long file name" extension, it will revealed the true extension of the files. Eq : video.avi --> video.avi.exe. Correct me if I'm wrong. Hope this can help. __________________ Core 2 Duo 1.6 GHz «» 2048MB DDR2 RAM «» 256MB onboard Graphic Onboard Realtek High Definition Soundcard «» 160 + 40 GB SATA HDD Pioneer DVD±RW «» 15.4" Widescreen LCD «» Windows Vista Ultimate Sucks ha? Yeah, that's a laptop for sure.

June 5th, 2003	#9 (permalink)
cperezprg Rainmaker Join Date: Mar 2003 Location: Murcia, Spain (Europe) Posts: 129	I agree. It's obvious that a video can be manipulated because it's data. But a Virus must be activated. It activates when you launch a .exe or with MS Office's Macros (due to a bug). But in a video, it seems difficult. The only think I can imagine is that the videoplayer has a bug (like MS Office) and a virus can use it. But this is also rare, because a normal player is reading the information of the file and translating it to show the movie, not executing that information (like EXE or Macros). __________________ --------------------------------------------------------------------------------------------------- Pentium III 1Ghz, MSI GeoForce 4, Windows 2000 Pro Pete's OpenGl Driver 1.71 Internal ePSXe SPU or Pete's DSound 1.15 Internal ePSXe W2K CDR or SaPu's CD-ROM 1.0 Bios scph 7502

June 5th, 2003	#10 (permalink)
JNS Emu author Join Date: Apr 2001 Location: Germany Posts: 42	hi! Theoretically it's not possible, that a virus get executed while watching a movie. The same counts for any other file, which doesn't get executed (like txt-files, jpg's, bmp's, tif's, mp3's and whatever), since the processor (the player-program) does not execute the content of the file. On the other side, the data of the file could be manipulated, so that a specific (badly coded) player, interpret the data wrong and cause a buffer overflow. This buffer overflow could be used to get the virus-code executed on the computer. But i think the chance that someone use such a bug in a player, to get a virus executed on your computer is very very small ... i assume that's just a badly coded virus-detection routine in your antivirus program, which interpret the video-data wrong. Cu, JNS --- http://www.emucheater.com http://cyberpad.psxemu.com

June 5th, 2003	#11 (permalink)
dukenukem Registered User Join Date: Jun 2001 Location: tucson Posts: 1,764	load the incomplete avi file into virtualdub and see what it says and see if there is any video in it. __________________ new pc=pentiumd 820 dualcore,250gb sata hdd,intel gma 950,19 inch lcd,lexmark printer,8in1 media card reader.

June 5th, 2003	#13 (permalink)
Gamer1 Anti-Brand Loyalist Join Date: Mar 2002 Location: Its too dark to tell... Posts: 3,237	I did state that it is possible didn't i? That's why i don't trust kazaa w/o a virus scanner. Thank god for pc-cillin. __________________ Iris: (Proc:Intel Pentium4 2.8Ghz w/ HT UNLOCKED @ 15x200) (Mobo: Asus P4C800-E) (RAM: Corsair XMS 2x512MB DDR400) (HDD 1: Seagate 80GB, 8MB Buffer, 7200 RPM) (Disk Drive 1: Lite-On 16x DVD Burner 1673S) (GFX Card: Radeon 9800 All-In-Wonder Pro 128MB) (Sound Card: Sound Blaster Audigy) Morrigan: (Proc:AMD Athlon 2500+ @ 11x200) (Mobo: Asrock K7V88) (RAM: Corsair XMS 512MB DDR400) (HDD 1: Seagate 80GB, 8MB Buffer, 7200 RPM) (Disk Drive 1: NEC 16x DVD Burner 3200AG) (GFX Card: Radeon 920064MB) (Sound Card: Sound Blaster Live! 5.1)

June 6th, 2003	#14 (permalink)
Quatro c3rTifiEd V@mpIr3 Join Date: Mar 2002 Location: Laguna Posts: 8,295	well it still registered as a virus... I haven't got any luck to know what the virus means... and it can't be cleaned... and no .ave.exe extension... I'll update you guys when I found out more... __________________ BE ONE OF US I JOIN THE WOLF CLAN - when you think that you have accomplish so much, many think of it as so little...

June 9th, 2003	#15 (permalink)
aldo Emu author Join Date: Apr 2001 Location: in front my PC Posts: 293	Some video formats (like the ones from Microsoft) allow to have internal tags with URL that will open automatically when the video is played in a popular player (like Windows Media Player) that can interpret those tags. Some of those URLs could open a web page containing some kind of virus in javascript, exploit some bug in the browser, create some cookies with spyware, install some unsigned plugin or malware with virus, among other side effects. So, the answer is YES, it is possible to get a virus from a regular video or audio file. But it depends of the player that you use. The method of infection is the same as if you browse directly to the URL containg that virus code. __________________ aldo vargas http://www.aldostools.com/ http://aldostools.mysite4now.com/

June 9th, 2003	#16 (permalink)
Galway no Sora ~¤ PanZeR ¤~ idRO Thor Join Date: Mar 2003 Location: Valhalla, in Odin's throne Posts: 3,145	Basically, do not open any files directly from the net. Download them, scan them and if found one, delete it. __________________ Core 2 Duo 1.6 GHz «» 2048MB DDR2 RAM «» 256MB onboard Graphic Onboard Realtek High Definition Soundcard «» 160 + 40 GB SATA HDD Pioneer DVD±RW «» 15.4" Widescreen LCD «» Windows Vista Ultimate Sucks ha? Yeah, that's a laptop for sure.

June 9th, 2003	#17 (permalink)
Quatro c3rTifiEd V@mpIr3 Join Date: Mar 2002 Location: Laguna Posts: 8,295	well I'm waiting for the file to finish to determine what file it is... I thanks aldo... now we know that video files could be also be infected... just need some help: I've been trying to fine what kind of virus it is but to no avail.. so can someone please help me find what win32/hanater virus is? thanks... __________________ BE ONE OF US I JOIN THE WOLF CLAN - when you think that you have accomplish so much, many think of it as so little...

June 9th, 2003	#18 (permalink)
cperezprg Rainmaker Join Date: Mar 2003 Location: Murcia, Spain (Europe) Posts: 129	Maybe it's not a video. It can be a executable file with its extension renamed to .avi, so the virus scan has found that virus pattern inside the file. In this case, when you'll try to open the file, the video player won't start the movie (because it isn't a video), and the virus won't be activated because it hasn't been launched like an .exe file __________________ --------------------------------------------------------------------------------------------------- Pentium III 1Ghz, MSI GeoForce 4, Windows 2000 Pro Pete's OpenGl Driver 1.71 Internal ePSXe SPU or Pete's DSound 1.15 Internal ePSXe W2K CDR or SaPu's CD-ROM 1.0 Bios scph 7502

June 9th, 2003	#19 (permalink)
Quatro c3rTifiEd V@mpIr3 Join Date: Mar 2002 Location: Laguna Posts: 8,295	> Maybe it's not a video. It can be a executable file with its extension renamed to .avi, so the virus scan has found that virus pattern inside the file. at 10mb ++??? __________________ BE ONE OF US I JOIN THE WOLF CLAN - when you think that you have accomplish so much, many think of it as so little...

June 9th, 2003	#20 (permalink)
cperezprg Rainmaker Join Date: Mar 2003 Location: Murcia, Spain (Europe) Posts: 129	>>at 10mb ++??? You can't never find out if a file has a virus by its filesize. It can be filled with dummy bytes. I have also searched information about that virus and I've found nothing. What is your virus scanner? Have you check spelling? __________________ --------------------------------------------------------------------------------------------------- Pentium III 1Ghz, MSI GeoForce 4, Windows 2000 Pro Pete's OpenGl Driver 1.71 Internal ePSXe SPU or Pete's DSound 1.15 Internal ePSXe W2K CDR or SaPu's CD-ROM 1.0 Bios scph 7502

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode