Jump to content


Photo

Downloaded WAV file installs spyware?


  • Please log in to reply
11 replies to this topic

#1 Publius

Publius

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 07:35 AM

I downloaded a WAV file from a cartoon fan site (that played while I was on the site) and just tried to listen to it. IMMEDIATELY before listening to it, I had scanned with both AdAware and SpyBot (after checking for updates) and my system was clean.

When I tried to play the WAV, my system locked up, in several programs. I shut down, then (on a hunch) re-scanned my system. SpyBot found BookedSpace, and AdAware found both BookedSpace and Virtumundo.

If anyone would like to check this WAV file out, I found it on a website called (IIRC) Tom & Jerry Online (yep, the cartoon) and it's in the sounds section--it's the higher-quality version of "Is You Is or Is You Ain't My Baby?" (from the T&J cartoon "Solid Serenade." It's worth a listen, if you apparently don't mind spyware being installed--Tom SWINGS!) It's called isyouis2.wav

I can also email it if you like. I'll be deleting it a bit later

#2 Mike

Mike

    Dark Lord of SWI

  • Emeritus
  • PipPipPipPipPip
  • 514 posts

Posted 16 June 2004 - 08:51 AM

Send it. I don't believe I've ever heard of a .wav file hiding malware.
mike@spywareinfo.com

Make sure you link this page so I know why I'm getting it. And zip or rar the file please. I don't think Thunderbird launches music files automatically, but I don't want to take any chances.
SpywareInfo: How are you gentlemen?? All your base are belong to us!!
Spyware: What you say!!
SpywareInfo: You have no chance to survive. Make your time!

#3 Publius

Publius

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 11:21 AM

It's on the way--thanks very much!

#4 Doctor J

Doctor J

    Resident Troubadour

  • Full Member
  • PipPipPip
  • 128 posts

Posted 16 June 2004 - 11:37 AM

I also never heard of a malicious .wav file.
But you may have been bitten by the old drive by download.
With InternetExplorer opened, click on Tools, Internet Options, and the Advanced tab; Look for a couple of "Install on demand" lines; they should both be UNchecked. When checked, application can be downloaded without you being prompted or even aware.... :unsure:
Failure is not an option, it comes bundled with the software.

#5 Publius

Publius

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 12:18 PM

Thanks, Dr. J, I'll check that out...but I use Opera for all non-work related browsing, which means only three or four different sites which require IE. Anything else is done thru Opera.

#6 Publius

Publius

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 02:23 PM

This is really weird.

I remembered RealPlayer accesses the internet as a matter of course. I thought that might be the problem, so I re-scanned my system w/ both AA and SB-SD, and cleaned up a cookie.

I launched RealPlayer, let it do what it does (a commercial) and shut it down. Rescanned, and cleaned up a cookie ( (username)@edge.ru4[1].txt, in case you're interested.).

I tried to launch the WAV, and it didn't play (the downloaded copy never has) tho my cursor did briefly go to the hourglass. I tried to launch AA and SB-SD, and they wouldn't launch.

I restarted my system, scanned and SpyBot found BookedSpace, and AdAware found both BookedSpace & Virtumundo. I cleaned up the registry entries, rescanned (both clean), but left both AA and SB-SD open before trying the WAV file again.

Double-click on the WAV, cursor goes to hourglass, no sound...and SpyBot found BookedSpace, and AdAware found both BookedSpace and Virtumundo. Again.

This is *really* weirding me out.

#7 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 16 June 2004 - 04:53 PM

Something tells me you're a victim of the "double extension" trick (see this article for more details).

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#8 Publius

Publius

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 06:39 PM

Hmmmm...I'll have to check that out. It's on my work computer. I *have* seen double extensions on files there, but I'll be sure to double(ha!)-check.

I've emailed it to Mike, so hopefully he'll have some insight.

#9 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 16 June 2004 - 08:03 PM

Well.... I just downloaded the file. No double extension and it played in Windows Media Player (default program for wav files on my computer) w/o any problems.

Try another wav file on your computer and see what happens. If the same thing happens, then whatever program is set to play wav files is installing the programs that Spybot & Ad-Aware are detecting (in which case it may be a good time to see a HijackThis log).

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#10 Doctor J

Doctor J

    Resident Troubadour

  • Full Member
  • PipPipPip
  • 128 posts

Posted 17 June 2004 - 03:21 AM

then whatever program is set to play wav files is installing the programs that Spybot & Ad-Aware are detecting

As VD pointed out, & it was going to be my next question, verify your .wav file association.

Open any folder, click on Tools, then Folder Options, then the File Types tab.
Scroll down to WAV, click once (to highlight it), then look below & note which program is set by default to open it...
Failure is not an option, it comes bundled with the software.

#11 Publius

Publius

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 07:04 AM

That was it, folks. WAV's are associated with Windows Media Player (not Real Audio--why I was thinking Real Audio yesterday is beyond me. Stupidity attack.)(BTW, I *can* see double extensions here, so that wasn't it. Good point, tho, and one I'll be sure to file away for future reference.).

Updated, scanned clean, tried to start WMP. No go (it did not launch). Scanned, and I came up with the same malware problems I had yesterday. It seems my copy of WMP has been corrupted, invaded, pillaged, and burned to the ground.

Thank you all, very much, for your assistance. I thought a WAV file with embedded malware was a bit hinky, also.

#12 Doctor J

Doctor J

    Resident Troubadour

  • Full Member
  • PipPipPip
  • 128 posts

Posted 17 June 2004 - 09:47 AM

A growing number of users here have problem with WMP being corrupted/disabled by malware. I would again follow VashonDude's advice to post a HijackThis log right here, for review by one of the guru.

While you're at it, I would suggest you ditch RealPlayer & grab a safer alternative, like RealAlternative, or JetAudio...

Edited by Doctor J, 17 June 2004 - 09:49 AM.

Failure is not an option, it comes bundled with the software.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button