Can an .mp3 file contain Malware?

[tree_fu_go]

I am wondering if .mp3 files could contain any sort of malware in any way?

 

I am not talking about a file that is named music.mp3 but the file type is an .exe being hidden by windows. I am talking about a real .mp3 file.

I also would preferably like someone to answer who knows what they are talking about.

I've been searching on the internet and many say yes and no... So I am still not sure.

 

Also if an .mp3 file could contain something malicious, would an antivirus or antimalware scanner detect it?

 

Thank you.

[David H. Lipman]

Can it contain malware ?

That's a tricky question but simplified the answer is media files can be malicious.

 

In a MP3 format (or WMV, ASF or other format) it won't carry an executable to infect a computer.  However it can exploit Windows Digital Rights Management (DRM) or be used to exploit some kind of media playing software.  Therefore media files can be malicious and can be flagged as a trojan such as the Wimad Trojan.

 

If a media file is malicious it can and should be flagged by a traditional anti virus application.

[tree_fu_go]

Okay thank you.

So if I scanned an .mp3 file with Avast, SUPERAntiSpyware and Malwarebytes and it doesn't detect as a threat, it should be safe?

Thanks again.

[AdvancedSetup]

You can always upload any suspicious file to www.virustotal.com and have it scanned by many scanners.

[David H. Lipman]

Okay thank you.

So if I scanned an .mp3 file with Avast, SUPERAntiSpyware and Malwarebytes and it doesn't detect as a threat, it should be safe?

Thanks again.

 

Malwarebytes specifically will not detect these trojans and I am pretty sure SAS won't either.

 

Malwarebytes' Anti-Malware (MBAM) does not scan media files, graphic files, data files or script files.  MBAM only scans Portable Executable (PE) type formatted files and is the reason I wrote "...should be flagged by a traditional anti virus application."  One should not confuse SAS and MBAM, which are adjunct scanners, with traditional anti virus scanners which target media files, graphic files, data files or script files and other files that may be malicious or used in exploitation vectors.

[tree_fu_go]

Thank you for all of your answers!

So if no antivirus on VirusTotal flags it as malicious, it should be safe?

 

Also, I had another question, can .AVI files be malicious or contain malware aswell? Or can... just any file be malicious?

[David H. Lipman]

Yes and Yes.

 

There are few types of malware that affect media files and they are relatively easy to detect and be known thus the propensity for detection is very high so if there are ZERO hits on VT then the file is most likely safe.

 

I believe there is the possibility with AVI formatted files as well but I am not 100% sure.

 

AVI files tend to be rather large.  If you see a small AVI file it may be suspect and there is a size limitation on VT so if it is a small AVI it can be submitted to VT.  However if is many MBs large then it most likely is NOT malicious and shouldn't cause you to worry.

[tree_fu_go]

Thanks for the information!

But, what does file size have to do with it being malicious or not?

[David H. Lipman]

AVI files are large.  Therefore if you have a large AVI file there is actual video content within and the chances of it being malicious are greatly reduced.  If there is a malicious AVI file it would be created to be malicious and thus it would not have content and it would be small.

[John L. Galt]

The trick with .AVI (and other such container formats) is that it can indeed contain malicious code.

 

For a great explanation see http://superuser.com/a/445381 - the answer to http://superuser.com/questions/445366/can-avi-files-contain-a-virus

[David H. Lipman]

The forum thread (if that is what it is) must me taken with a grain of salt.  In one post was "The virus is called WMA.wimad [susp]"
 
I have already mentioned the Wimad and it is a trojan and NOT a virus.
 
Frankly, except for the introduction of the concept of double extension files such as MyVideo.avi.exe (exploitaing Microsoft's ignorant setting of "Hide extension of known file types") it really doesn't add anything to the discussion.  In that case the file is NOT a media file at all.  The case is the same where a file is using Unicode Right to Left Override (RTLO) and pretends to be a media file but is in actuality an executable. An exmaple would be;   myfilercs.avi which REALLY is  myfileiva.scr The Unicode RTLO is interpreted by Windows Explorer and thus the file name is transposed.   Viewing it in DOS (a Command Prompt) by a DIRectory command would show the reality of the file name.
 
The following shows another example (only it pretends to be an Adobe PDF instead of a media file)
 
The following is a view in Windows Explorer.

 
 
Same file view but this time in a Command Prompt using the DIR command.

[John L. Galt]

Only the first part talks about clever naming of the file itself.  In the technical section it adds more information on how it can exploit a particular player itself.  Finally he does wrap it up in the Application section with how it would be player specific and that users should generally be careful and cautious.

 

Also, I was linking to that one specific reply, not the entire thread, for the reading.  Of course not every user is going to understand the difference between a virus and a trojan, but that does not detract from this particular answer.

[tree_fu_go]

Thanks everyone for the infomation you have provided me!

I appreciate your time.