Can .wmv files have strange behavior?

I downloaded a video, .wmv file extension, when I double click to play it I get the following alerts from Defense+:
-rundll32.exe is trying to execute file 54C23TFG4 (<-it was trying to create and execute a file in firefox cache)

I say block, why would a .wmv file have anything to do with firefox cache! Then another alert:
-rundll32.exe is trying to do sth with file Citrus Alarm Clock.lnk (<-this is a little alarm I use to wake up on mornings :), tottally safe!)

I say block this too and then no more alerts, but this happened every time I would play the .wmv file!
So I delered the ■■■■ thing :smiley:

How do you explain this?

What I think is happening is that the video file is trying to load itself in the firefox cache in order to play the movie. I’m not aware of any malicious activity by wmv files but do proceed with caution. It may be best to just download the file to your harddrive and scan it with your AV and run it from there instead of your browser.

You could always run the session Sandboxed.


Hi PiCo

Eric is probably right & it’s merely Firefox trying to execute whatever it needs to play a WMV file in-frame.

However… WMV files can, and have been, infected. I believe these usually only impact Windows Media Player (10 and above?) & take the form of redirecting the users browser to a URL. These redirects are not necessarily “malicious” (although they could be)… basically WMP 10 introduced some Digital Rights Management (DRM) functionality that can be abused… some consider DRM abuse & malicious anyway (different story). But, if you’re using Firefox with NoScipt, then you would probably be safe anyway. Of course, Eric’s sandbox suggestion is the safest.

Yes I’m using wmp 11. The file was downloaded through μtorrent, but firefox is the default web browser on my system.
I have to mention (I remembered it just now), the name of the file was www,blabla,com when I was playing it.
Ok that possibly explains the first alert about firefox cache!

But rundll32.exe trying to modify Citrus Alarm Clock.lnk file just by playing a .wmv file! This would cause Citrus Alarm Clock to run on startup, which I have it disabled of course.

Anyway thank you both for your answers and I’m glad CFP alerted me :slight_smile:

“some consider DRM abuse & malicious anyway (different story)”

I would be one of them.

fk DRM