Jump to content

Trojan embedded in Video File

Recommended Posts

Last try... your system told me I couldn't post when I hit the submit button...Grrrrr!

I've been trying for over two hours to get someone at MalwareBytes to look it this thing.

I have a very large video file with an embedded Trojan in it. It was received on 04/04/16 during a torrent download.

On 04/08/16 Panda Security examined the file, determined that it has Malware in it and added it to their next re-synch.

I have it stored on MediaFire as a 67.45 Mb zipped, psswd encrypted file.

Is anyone interested or do I let it continue in the wild?


Link to post
Share on other sites

I'll look at it.  You can pass me the information in a PM and I will download and examine it.

Usually media files that are detected as a trojan are in a family called Wimad trojans.  There are no trojans embedded in them.  What they do is exploit Windows Digital Rights Management ( DRM ).  They are most commonly associated with content piracy.  Movies and Music.  They also tend to be short.  Not large multi-10's MB files.  I will examine it and see what the issue is.  If there is payload that Malwarebytes can target I will attempt to obtain it.

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.


NOTE:  Malwarebytes' Anti-Exploit ( MBAE ) is designed to deal with many of the types of malware associated with scripts, documents and media files where MBAE will protect the computer against Exploitation attempts whether they were exploits of software vulnerabilities or taking advantage of an application in an unusual way and works at an "action level" and not a "file level" like MBAM. MBAE provides protection of applications that are commonly  known to be associated with and normally used by the file type.  This includes Windows DRM Exploits.
Reference:  MBAE FAQ



Link to post
Share on other sites

43 minutes ago, John L. Galt said:

Hi, @Canon_Man, and :welcome:

I've altered a staff member to this thread.  Hopefully someone will be interested.

In the meantime, have you submitted the file to VirusTotal?


Thanks for the reply. What follows is not aimed at you personally.

To your question; - No I have not... If this is a necessary step I'm out.

I've spent far too much time just to get your reply, and it is extremely frustrating to deal with people who aren't interested, or simply are not sharp enough to figure out what my concern is. Trying to do right should not be this difficult, and finding the path to deliver it should be fall down stupid easy.

My own computer is clean now; - I think, but I've spent the best part of this week trying to correct what may be wrong with it.

At this point there is one MS utility that doesn't work properly after the virus which may require a re-load of Op Sys to correct. I'll deal with it.

Of the three 'virus software' providers, Panda Security, MS Windows Defender (max 10 Mb file) and MalwareBytes (max 30 Mb), but only Panda is set up properly with a 'ramp' to receive data, allow one to outline the problem and wait for their evaluation. They make it easy and they listen.

Oddly, I've alternately used Norton, AVG, WinDef, and MalwareBytes for several years now. Panda was a new product just loaded in the last 5 months.

Where do you think my 'dollar vote' should go?

Link to post
Share on other sites

I'm sorry we didn't meet your expectations.

The fact is this is the Malwarebytes' Anti-Malware ( MBAM ) for Windows product support sub-forum, not a malware analysis or submission sub-forum.

Submitting a suspicious file to Virus Total is both valid and required.  This way we can see...

  • What vendors are presently detecting the sample
  • What the vendors provide as a detection name
  • When the sample was first seen by Virus Total and thus helping to gauge the file's age
  • The Virus Total Report provides checksum values as well as other file metrics. 

From that Virus Total Report URL we can then deduce some information about the sample without even having physical access to the file."

Your expectation for using this product support sub-forum in regards to a suspect media file sample was wrong as well as what you'd expect as a result.  The fact is John L. Galt  responded to your Off Topic query within 5 minutes of your post and you took another hour to respond to our replies.  During those 2 hours you did not find the sub-forum for submitting generic samples which is Newest Malware Threats  and then post a "I have a file greater than 30MB that I want to submit...". 




Link to post
Share on other sites

In addition to what David and Rich wrote, there are a lot of other factors to consider.

  1. There are forum rules and limitations set in place, such as the file attachment limitation, to prevent depriving users of system resources when posting in various forums.
  2. I originally considered pointing you to the correct forum, but then alerted staff directly instead of pointing you to that forum, which is partially my own fault for making that judgment.  As stated above by both, this is not the forum for Malware research, but for MBAM product assistance.
  3. Do also realize that MBAM is not anti virus program.  For more information, please read the following information:  https://www.malwarebytes.org/articles/antivirus-vs-antimalware/
  4. As for your own personal decision on which product to buy and which to not, I can understand your frustration, but I cannot make you choose a product, and nor will I try to influence you.  I can only give you the information that you need to make a valid logical choice.  The following are points that should help you make that choice.
    1. Panda is an Anti Virus program, from my understanding, though their suite my do more than just fight viruses. 
    2. Windows Defender is native to your system, therefore costs nothing.
    3. MBAM is a product targeting Malware specifically, mostly which gets ignored by traditional anti virus programs.
    4. MBAM does have limitations, as specified by David above.  Even now the product is looking to expand its purview with the βeta testing of  the MB Anti-Ransomware product, which will, in the future, be integrated into MBAM.
    5. This next point is a bit sensitive, but, please, bear with me, and understand that I am being very unbiased here, while still stating my own opinions, and at the same time I am not berating you in any way.

      I don't base my choices for purchasing products solely on the merit of being able to submit samples for code to a team of researchers or developers.  I buy products that work for me, perform the task that I need them to perform, and do that task(s) to the best ability that the programming allows.  However, I am also a computer professional, mostly low and mid-level IT infrastructure maintenance and support, but with well over 15+ years of direct Tier I and Tier II End User support in the real world.  You can imagine that (very often) I get the invariable question on which product is the best for any given task.  My answer is to (almost) never come outright and say this product is the best for this given task because of many, many factors.  The biggest one is personal choice.

      What I want from a product is not necessarily what someone else wants.  As with my paragraph above, I look at functionality above all else.  Other people I know look at bells and whistles, still others want ease of use and 'set it and forget it' use.  In your case, it seems as if you want payload delivery to be a high consideration.  Thus in your situation I would rightly do as you are doing - be evaluating different products for their payload delivery system.

      The problem lies in comparing Apples to Apples.  Comparing Panda, an anti-virus program (with, admittedly, other functions), with Windows Defender and MBAM, is not a direct comparison of equal products.  So, your evaluation needs to be a bit more on par in terms of trying to compare products of the exact same (or as close to the same) functionality provided.  I run Windows 10.  Defender is built in.  MBAM (along with MBAE and MBARW) are on my system for my protection.  I would never use MBAE by itself, because it cannot provide many of the functions that Defender does.  Similarly I would not use Defender by itself because it does not provide a lot of the protection that MBAM does.

      Comparing Panda to Defender is a much closer comparison, but if I were going ot spring for Panda, you can be sure that I still would keep Defender around as an emergency backup.  But Trying to treat Panda and MBAM as equivalent products doesn't work very well.  They are more complementary than directly opposing.
    6. In case you are interested, here is a link that details the complexity of this whole anti-virus and anti-malware business in the first place:

OK, so I hope this gets my point across.  Please feel free to come back and post if you have any more questions, or if I made an error somewhere in my analysis - I'm human after all :P

One more thing:  We also have trained volunteers here that are always helping users with malware removal as well as post-infection cleanup.  If you would like to get some more assistance (which may, in fact, help avoid the OS reinstall) let us know.  We'll be glad to help.

(My personal opinion here, though, is that since you were infected, and you've already taken this time on cleaning it, for the best peace of mind, backup your data, and wipe it all, and start fresh.  As a computer professional, I clean Install Windows no less than once every couple of years, and right now, as I am a Windows Insider Preview tester, it is more like every 3 months, so I am a firm believer in starting fresh, especially when it comes to Windows, and most particularly after a moderate to severe infection.  Also, when my clients bring machines to me that are infected, I do the same thing.  it's easier to start fresh than to worry that remnants may be left behind, waiting to infect again, IMO>)

Link to post
Share on other sites

As unimpressed as I am, standing out here in the 'wilderness' as a lay person, with the finger pointing, the 'gee, you don't know what you're doing' reply and the fact that your help desk (that by the way dumbly told me, "gee, this can't be a virus, - it's too big!") referred me to the forum, combined with comments from David, I have since relented and given the coordinates to one of your moderators who, (thankfully) requested it. 

I don't know thing one about 'Virus Total' or what it represents. If it is a joint cooperation between providers I am unaware of it. If you need to know what htis variant is now labeled I suggest that you seek out Panda to find out what they discovered and what the detection is now called. Frankly handling this thing too much is, in my opinion, like handling an IED.

I'm not accustomed to spoon feeding.

Mp4's are the new target it seems as more people move off the 'grid', away from cable and satellite, so the potential for tripping over one of these 'things' is more and more likely. Puts me in the mood to create a sacrificial machine that it won't matter if we encounter crap like this, I can just rebuild it as described in one of the threads.

Recriminations about people who download Mp4's do nothing for MalwareBytes' case or its image either.

Maybe you folks have never heard of "The customer is ALWAYS right!"

As for comparison, while I appreciate and respect John's comments I take exception to the 'definitions and characterizations' that this one may be complimentary to that one, but not necessarily inclusive. He makes a good point though, one that I have practised where possible; - run more than one trap in parallel or sequentially (that latter probably harder to do!).

If you say MalwareBytes traps viruses, then as lay person I assume you have built a different, or even perhaps better mousetrap.

In my mind, relative to the discussion above I think it best for MalwareBytes to put a big disclaimer with the software so buyers won't be confused.

Trial and error it seems, or a pig in a poke at best.

We don't need to be friends. This is, remotely speaking, a business exchange with a customer.


Link to post
Share on other sites

I'm sorry that you feel this way, but when it comes to submissions, there are protocols that need to be followed.  Those, coupled with the forums rules, are what keeps the users here safe from gaining access to potentially malicious files.  If you consider it spoon feeding to submit the software through proper channels, I apologize, but that is the way things are done here.  Also note that I am a volunteer here, as are many of he people helping in these forums.  Unless you see a signature line at the bottom saying MB Staff, chances are we are receiving 0 compensation for anything we do here, and yet we still come here to provide help.  I kept my previous replies to you very civil, and yet I'm not getting the same respect back.

I'm only a volunteer here, as I noted before, and thus I will now be bowing out of this conversation.  I don't take kindly to being berated.

I've alerted a staff member to come in here to assist you further with your issues.

Link to post
Share on other sites

40 minutes ago, Canon_Man said:

Mp4's are the new target it seems as more people move off the 'grid', away from cable and satellite, so the potential for tripping over one of these 'things' is more and more likely. Puts me in the mood to create a sacrificial machine that it won't matter if we encounter crap like this, I can just rebuild it as described in one of the threads.

Actually it is more like if you want to play in the mud, you should expect to get dirty.

In your initial post you wrote...  "... It was received on 04/04/16 during a torrent download."

Torrents are not a legitimate source of content media such as movies and thus you played in the mud and you got dirty.

As I wrote earlier...


Usually media files that are detected as a trojan are in a family called Wimad trojans.  There are no trojans embedded in them.  What they do is exploit Windows Digital Rights Management ( DRM ).  They are most commonly associated with content piracy.  Movies and Music. 



Torrent websites infect 12 million users a month with malware

Kickass Torrents Is Infected With So Much Malware It's Starting To Look Like The Pirate Bay

Spreading Malware By Torrents

Link to post
Share on other sites

1 hour ago, David H. Lipman said:

Actually it is more like if you want to play in the mud, you should expect to get dirty.

In your initial post you wrote...  "... It was received on 04/04/16 during a torrent download."

Torrents are not a legitimate source of content media such as movies and thus you played in the mud and you got dirty.


Let's be clear. I never said that (any) virus software didn't protect me from 'playing in the mud', what I said was that I had a file that I needed to share that had something in it that appeared very nasty. That's it. No one disputes the torrents can be a mine field. You decided to 'muddy the waters' or shoot canon fodder because you didn't like the direction this started from. That's on you.

I've been around computers for over 40 years, and I truly long for the days when this crap that is happening now didn't exist, but I knew that if the computer was connected to a modem the possibility was always there that 'someone' could hack into it.

I know the roll of the die thing too, frankly any time one clicks on a URL one stands the chance of picking up something. That is why providers now offer full compliments or suites of network, browser and virus protection in addition to just antivirus and malware (the difference between these last two is moot to me). So I run at least two instances of virus protection.

BTW, if I wanted to get a free full copy of MalmareBytes I could find a place or a way to get it, but I don't do that. I use what is freely available, and if I really like it, I buy it. Guess what I won't be buying next, or how many people I will tell not to buy it?

My root concern is that I picked this GD thing up, and I knew if I did, others could / would too, and three examples of software couldn't detect it. Then my major angst was that MalwareBytes had no quick and easy way to deliver this 'stuff' and further it wanted me to handle this 'IED' even more before 'delivering' it to them. Nuts!

We're talking real world here, not from the warm and fuzzy moral compass / hat you have so tightly on your head that neither light, wisdom, or common sense can enter or escape. Clearly your moral outrage is in line with Sony, et al. I'm not in that very small camp.

And even more clearly, your outrage is analogous to me going to the doctor because I cut myself with the table saw, only to have my doctor stand in judgment of whether I should or should not use a table saw to do anything.

You don't get to be judge / jury / and possibly savior, or to pontify from your lofty tower either.


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.