Вирусы в Mpeg Audio
(c) by Duke/SMF
В октябре 1998 года по FIDO (а еще раньше - по Internet) поползли слухи
о вирусах, живущих в MP3 файлах. Они, якобы, в качестве спецэффекта могут
повесить компьютер при воспроизведении музыки. Вариантов сообщений об этих
вирусах - множество. Приведу лишь пару из них.
===== Cut here =====
IWA Discovers Mpeg Audio Virus
SANTA CLARA, Calif.
Virus security researchers at Internet Western Associates (Nasdaq: IWAS -
news) today announced the discovery of the first successful
multi-application media-file virus capable of infecting most media player
software. Affected are Layer 3 audio compatible players, commonly called
Mp3 players. The virus, called Bloat, has been discovered to imbed itself
into the executable portion of every player in every condition tested so
far, including Winamp, NAD, Jet Audio, and Unreal Player Max; running
under Windows 3.x, 9x, and NT operating systems. Macintosh and Unix
systems do not appear to be affected.
'Bloat' spreads in a manner similar to the recent Word-Macro virus family.
Virus code is conveyed and spread within *.mp3 audio files upon being
opened by player software. The program inserts a single string of virus
code immediately following the title/artist tag of an Mp3 file. Bloat only
targets files having an MP3 or EXE extension. Similar audio formats such
as VQF (Twin-VQ), WAV, Mp4 (under development), RA (Real Audio), and AAC
(Advanced Audio Coding) cannot carry the virus.
The new Layer-3 'Bloat' virus is the first working virus of its type found
in the wild. Bloat does not cause data loss. As the name sugguests, its
effect is the opposite; the virus causes extra nonsense data to be written
to the hard disk during most writes. Files written to the hard disk will
occupy as much as five times the amount of space they appear to be using,
and should be using. As a result, free hard disk space grows smaller and
smaller. Once the virus has spread to other programs in the system,
affected users will experience difficulty opening, reading or modifying
documents in most of their applications, as well as an increased overall
sluggishness in system performance.
Considerable storage space is also lost.
Bloat uses the Mp3 audio files as carriers between players. Once the virus
is read by a player, it is loaded into system memory, where it spreads
back down into system applications. This successful travelling method was
first documented by researchers at the Internet Western Associates AVERT
(Anti-Virus Emergency Response Team) center in Braintree, MA.
Detailed information on Bloat Layer 3 and detection/cleanup software will
be available shortly. With headquarters in Tacoma, Washington., Internet
Western Associates, Inc. is dedicated to providing leading enterprise
network security and management solutions. McAfee Labs, the anti-virus
research affiliate of IWA, currently employs more than 85 virus
researchers and maintains labs on five continents worldwide. In addition
to studying new and existing security threats, McAfee Labs serves as a
global resource for virus information and provides rapid, follow-the-sun
support for virus emergencies worldwide.
SOURCE: Internet Western Associates, Inc.
===== Cut here =====
На сайте http://www.dmusic.com/ лежит сообщение следующего содержания:
===== Cut here =====
The First MP3 Virus
by Spyed on October 16, 1998
You knew it had to happen sooner or later. It appears that someone has
taken the time to create a wonderful virus for us MP3ers to juggle around
with. It's called Bloat, and if you have it.. it's basically eating up lots
and lots of your hard drive space by creating garbage in your executables.
It's a big, nasty, ugly virus.. and the way you get it is sorta like, well,
aids! It sticks to an mp3 file, and it transferrs itself from mp3 player to
player. So you might not be doing your buds a favor by sharing your music
with them. Hmm.. seems like a nice, convenient virus for the RIAA doesn't
it? It really wouldn't surprise me.. in fact the more I think about it the
more I'm willing to put money on it. What do you think? Take the poll!
(voting booth, further down)
===== Cut here =====
А теперь попробуем разобраться в проблеме. Случайное подвешивание компа при
прослушивании музыки лишь подогревает слухи о существовании MP3 вируса.
Почему может произойти "подвисание" ?
1) Ошибка в самом плеере, связанная с некорректностью алгоритма распаковки
звука. Это вина производителей player'а и в новых версиях программы как
правило fix'ится.
2) Ошибка при доступе к памяти. Такая муть возникает постоянно при работе
с многозадачными системами семейства Windows, когда в памяти сидит более
10 программ и всем чего-то надо. Это ошибка фирмы Microsoft, которая
никогда (судя по всему) исправлена не будет.
3) Ошибка в самом Mpeg-файле. Поскольку это компрессированный файл, то
изменение одного байта может привести к непредсказуемым последствиям
(в пределах разумного, естественно). Эта ошибка возможна:
a) при сжатии файла некорректно работающим MPEG-компрессором (например,
морально устаревшим);
b) при сбоях в файловой системе (если это так, то советую просканировать
ваш винт NDD);
c) если файл откуда-то скачивался и возник разрыв связи.
Таким образом проблема зависания компьютера нашла логическое объяснение.
А теперь объясним, почему в этом не может быть виноват MP3-вирус. Потому
что MP3-вирусов не существует - это HOAX, JOKE, FAKE !!! Не существует
по причине того, что в MP3 отсутствует исполнимый код и макросы. MP3 - это
файл данных (архив), куски которого распаковываются и выводятся на Sound
Blaster.