Malware in AVI files

Have been running my system without antivirus for a couple of weeks now, but decided to install avast - to find out whether I was infected or not (didn’t see any sign of it, though). Curiosity.

And yes, I was infected! avast found trojans in .AVI files. Had no idea this was possible. Also, I don’t know if BOClean would have catched the malware - I have never opened those AVI files. Now they’re deleted and the system should be safe.



Nothing is impossible, but I thought av’s perform less checks on large files. How big were they?

They were above 200 MB, but I configured avast to scan as deep as possible, not leaving any file.

At least Avast! did its job as instructed. You had these files for how long and you never opened them?

It certainly did! Only had them for a couple of days, saved them to view later. Pure luck to install avast before I opened them…

I also did something similar, to a more extreme level: I haven’t had any anti-virus running for several months. About a couple of weeks ago, I downloaded Kaspersky’s online scanner that only detects and can’t remove viruses. It found one large .ini file (well, large for an .ini file) as a malware or trojan (forgot what it was) with a long name that a bunch of gibberish letters. So in a way I was lucky it was just one file and it was easy to manually delete it.

Well done, I think you don’t even have ABA turned on in CPF? Your situation (of the low level of infection during the long time) should mostly be a result of awareness then. And the best firewall of course, and a secure browser.

I’ve finally got a good understanding of how one gets infected (but those AVI files was a huge surprise). I don’t live on the edge, but obviously I’m not yet all mature for dropping the AV… so with my paranoia I’d better continue with it and let it take a couple of megabytes of RAM.

Not long ago I was convinced that it was enough to have a firewall like CPF. It doesn’t apply to everyone though…


Malware at rest is not dangerous. Malware becomes dangerous when they execute their malicious code. For example, I have thousands of malware on my hard disk, they can’t do any damage unless i execute (run) them.


I myself wouldn’t have suspected the avi file. Any avi file I download are usually from a large pool of bitorrent seeders and peers, so that lowers the chances of corrupted or malware-infected files.

Glad to know malware is only dangerous when executed.

[attachment deleted by admin]

Thank you both for your input. I understand it’s not harmful as long as it’s not executed. Didn’t get panic when it was found during the scan… just a surprize.

I’ll go with the layered system. A house where I control the doors and windows, alarms & dogs inside. :slight_smile: (always use this great analogy to teach my friends that they need more security)


[attachment deleted by admin]

ANY file can be infected - ie. have the virus added to it, but only executable files can actually activate the virus;
this includes HTML, .vbs, .js etc, from what I know. It could possible have a double extension like ‘Movie.avi.exe’, you wouldn’t see the .exe-part if you don’t enable it thru control panel. Also, movie files(at least Quick Time files) can open up web pages that can contain malware. But keep Avast, better having some megabytes wasted than having your HDD crashed :wink:


Hey Ragwing.

If, for example, an AVI file or a JPEG file is infected, and I open it - isn’t that the same as executing it? Loading it into the memory to let Windows open the file in a dedicated program? I know that files like AVI or JPEG don’t count as executables, but what will happen when they are opened - and contain executable malware?

At least I’m above the level of double extensions mistakes :wink:


Good question. I would like to know as well.


I think most of the AVI-files with virus uses some vulnerability(buffer overruns etc.) in Windows that Microsoft haven’t patched. I don’t know, but is it possible to embed a .exe-files in a .avi-file, and then extract it in the victim’s computer and add it to auto-start or something? But from what I’ve heard, AVI-files can’t execute a malicious code, only executable files, but I might be wrong about it. Some expert maybe can help us? ;D


EDIT: Does DEP protect from this kind of attack?

Found this on Wikipedia:

Data Execution Prevention (DEP) is a feature included in modern Microsoft Windows and Linux operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support. Software-enforced DEP does not protect from execution of code in data pages, but instead from another type of attack (SEH overwrite).