Can AVI files contain a virus?

Question

I'm downloading an AVI file via a torrent, but my anti-virus detects something. Is it possible that the AVI file contains a virus?

It is quite weird since the torrent has many positive reviews.

Answer 1

TL;DR

An .avi file is a video, and therefore is not executable, so the operating system can/will not run the file. As such, it cannot be a virus in its own right, but it can indeed contain a virus.

History

In the past, only executable (i.e., “runnable”) files would be viruses. Later, Internet worms started using social-engineering to trick people into running viruses. A popular trick would be to rename an executable to include other extensions like .avi or .jpg in order to trick the user into thinking it is a media file and run it. For example, an email client may only display the first dozen or so characters of attachments, so by giving a file a false extension, then padding it with spaces as in "FunnyAnimals.avi              .exe", the user sees what looks like a video and runs it and gets infected.

This was not only social-engineering (tricking the user), but also an early exploit. It exploited the limited display of filenames of email clients to pull off its trick.

Technical

Later, more advanced exploits came along. Malware writers would disassemble a program to examine its source-code and look for certain parts that had poor data- and error-handling which they could exploit. These instructions often take the form of some sort of user input. For example, a login dialog box on an OS or web-site may not perform error-checking or data-validation, and thus assume/expect the user to enter only appropriate data. If you then enter data that it does not expect (or in the case of most exploits, too much data), then the input will end up outside of the memory that was assigned to hold the data. Normally, the user-data should be contained only in a variable, but by exploiting poor error-checking and memory-management, it is possible to put it in a part of memory that can be executed. A common, and well-known method is the buffer-overflow which puts more data in the variable than it can hold, thus overwriting other parts of memory. By cleverly crafting the input, it is possible to cause code (instructions) to be overrun and then transfer control to that code. At that point, the sky is usually the limit as to what can be done once the malware has control.

Media files are the same. They can be made so that they contain a bit of machine code and exploit the media-player so that the machine code ends up running. For example, it might be possible to put too much data in the media file’s meta-data so that when the player tries to open the file and read it, it overflows the variables and causes some code to run. Even the actual data could theoretically be crafted to exploit the program.

What’s worse with media files is that unlike a login which is clearly bad, even to lay-persons (e.g., username: johndoe234AUI%#639u36906-q1236^<>3;'k7y637y63^L:l,763p,l7p,37po[33p[o7@#^@^089*(^#)360as][.;][.][.>{"{"#:6326^), a media file can be made so that it actually contains proper, legitimate media that is not even corrupt and so looks completely legitimate and goes utterly undetected until the infection’s effects take place. Steganography (literally “covered writing”) is usually used to conceal data in other data, but this is essentially the same thing since the malware would be hidden in what looks like legitimate media.

So yes, media files (and for that matter, any file) can contain a virus by exploiting vulnerabilities in the program that opens/views the file. The problem is that you often do not even need to open or view the file to be infected. Most file types can be previewed or have their meta-data read without purposely opening them. For example, simply selecting a media file in Windows Explorer will automatically read the meta-data (dimensions, length, etc.) from the file. This could potentially be a vector of attack if a malware writer happened to find a vulnerability in Explorer’s preview/meta-data function and crafts a media file that exploits it.

Fortunately, exploits are fragile. They usually only affect one media player or another as opposed to all players, and even then, they are not guaranteed to work for different versions of the same program (that's why operating systems issue updates to patch vulnerabilities). Because of this, malware writers usually only bother to spend their time cracking systems/programs in wide use or of high value (e.g., Windows, bank systems, etc.) This is particularly true since hacking has gained in popularity as a business with criminals trying to get money and is no longer just the domain of nerds trying to get glory.

Application

If your video file is infected, then it will likely only infect you if you happen to use the media player(s) that it is specifically designed to exploit. If not, then it may crash, fail to open, play with corruption, or even play just fine (which is the worst-case scenario because then gets flagged as okay and gets spread to others who may get infected).

Anti-malware programs usually use signatures and/or heuristics to detect malware. Signatures look for patterns of bytes in the files that usually correspond to instructions in well-known viruses. The problem is that because of polymorphic viruses that can change each time they reproduce, signatures become less effective. Heuristics observe behavior patterns like editing specific files or reading specific data. These usually only apply once the malware is already running because static analysis (examining the code without running it) can be extremely complex thanks to malware obfuscation and evasion techniques.

In both cases, anti-malware programs can, and do, report false-positives.

Conclusion

Obviously the most important step in computing safety is to get your files from trusted sources. If the torrent you are using is from somewhere you trust, then presumably it should be okay. If not, then you may want to think twice about it, (especially since there are anti-piracy groups who purposely release torrents containing fakes or even malware).

Answer 2

I won't say it's impossible, but it would be difficult. The virus writer would have to craft the AVI to trigger a bug in your media player, and then somehow exploit that to run code on your operating system -- without knowing what media player or OS you are running. If you keep your software up to date, and/or if you run something other than Windows Media Player or iTunes (as the biggest platforms, they will be the best targets), you should be pretty safe.

However, there is a related risk that is very real. Movies on the internet these days use a variety of codecs, and the general public doesn't understand what a codec is -- all they know is "it's something I sometimes have to download so the movie will play". This is a genuine attack vector. If you download something and are told "to view this, you need the codec from [some website]", then we very sure you know what you're doing because you could infect yourself.

Answer 3

Yes, it is possible. AVI files, like every file, can be specially crafted to take advantage of known bugs in the software that manage those files.

Antivirus software detect know patterns in the files, like executable code in binary files, or specific JavaScript constructions in HTML pages, that are possibly virus.

Answer 4

An avi file extension is not a guarantee that the file is a video file. You could get any .exe virus and rename it to .avi(this makes you download the virus, what is half of the path to infect your computer). If there are any exploit open on your machine that allow the virus to run, then you would be affected.

If you think it is a malware, just stop download and delete it, never execute it before an antivirus scan.

Answer 5

Quick answer: YES.

Slightly longer answer:

• A file is a container for different types of data.
• An AVI (Audio Video Interleave) file is meant to contain interleaved audio and video data. Normally, it shouldn't contain any executable code.
• Unless the attacker is unusually determined, it is quite unlikely that an AVI file with audio-video data would actually contain a virus

HOWEVER ...

• An AVI file needs a decoder to do anything useful. For example, you already might be using Windows Media Player to play AVI files to see their content
• If the decoder or the file-parser have bugs that the attacker can exploit, they will cleverly produce an AVI file such that:
  • on your attempt to open those files (for example if you double-click to start playing the video) with your buggy AVI-parser or decoder, those hidden bugs will trigger
  • As a result, it may allow the attacker to execute code of his choice on your computer, potentially leaving your computer infected.
  • Here's a vulnerability report that answers exactly what you are asking.

Answer 6

It's possible, yes, but very unlikely. You are more likely to try and view a WMV and have it auto-load a URL or ask you to download a license, which in turn pops up a browser window which could exploit your machine if it's not fully patched.

Answer 7

Most popular from of 'AVI' viruses I have heard have been,
something.avi.exe files downloaded on a windows machine
that is configured to hide the file extensions in explorer.

The user typically forgets that later fact and assumes the file is AVI.
Coupled to their expectation of an associated player, a double-click actually launches the EXE.

---

After that, its been oddly transcoded AVI files that require you to download a new codec to see them.
The so-called codec is usually the real 'virus' here.

---

I have also heard of AVI buffer-overflow exploits, but a few good references would be useful.

My bottom line: culprit is usually one of the following rather than the AVI file itself

• The codec installed on your system to handle the AVI
• The player being used
• The file-sharing tool used to get the AVI file

---

A short malware prevention reading: P2P or File Sharing

Answer 8

.avi (or .mkv for that matter) are containers and support inclusion of a variaty of media - multiple audio/video streams, subtitles, dvd-like menu navigation etc. There is nothing preventing malicious executable content being included either but it will not be run unless in scenarios Synetech described in his answer

Still, there is one commonly exploted angle left out. Given a variety of codecs available and no restrictions on including them in container files, there are common protocols to prompt a user for installing the necessary codec and it doesn't help that media players may be configured to automatically attempt codec lookup and installation. Ultimately codecs are executable (minus a small array of ones that are plugin-based) and could contain malicious code.

Answer 9

Technically, not from downloading the file. But once the file is opened, it's fair game depending on the player and the codec implementation.

Answer 10

My Avast Antivirus just informed me that there was a trojan embedded in one of my downloaded movie AVIs. When I tried to quarantine it, it said the file is too big and cannot be moved, so I had to delete it instead.

The virus is called WMA.wimad [susp] and is apparenty a medium threat virus that does some sort of browser hijack stuff. Not exactly system breaking, but it does prove that you can get viruses from AVI files.

Answer 11

If the download isn't complete yet, wait before it completes before you decide what to do. When the download is only partially complete, the missing parts of the file are essentially noise and quite prone to produce false positives when checked for malware.

As @Synetech explained in detail, it's possible to spread malware through video files, possibly before the download even finishes. But that it's possible doesn't mean that it's likely. From my personal experience, the odds of a false positive during an ongoing download are much higher.

Answer 12

Having spent time assisting users resolve malware issues, I can testify that usual exploitation mechanism used by scammers is more social than technical.

The file is simply named as *.avi.exe and the default setting in windows does not reveal common file extensions. The executable file is simply assigned a AVI file icon. This is similar to tactics used to distribute *.doc.exe viruses where the file has winword's icon.

I have also observed dodgy tactics such as long file names being used in p2p distribution, so the client displays only partial names in the file list.

Using shoddy files

If you need to use the file, always use a sandbox that is configured to stop outgoing internet connections. Windows firewall is badly configured to allow outgoing connections by default. Exploitation is an action, which like any action always has a motivation. Usually, it's performed to siphon browser passwords or cookies, license and transfer the contents to an external resource(such as FTP) owned by an attacker. Hence, if you use a tool such as sandboxie, disable outgoing internet connections. If you use a virtual machine ensure that that it contains no sensitive information and always block outgoing internet access using a firewall rule.

If you do not know what you're doing, don't use the file. Be safe and do not take risks that are not worth taking.

Answer 13

Short answer, yes. A longer answer follows the basic tutorial Tropical PC Solutions: How to hide a virus! and make one for yourself.

Answer 14

Technical answer -- with citations

Most movie players use libavcodec. It's the library behind ffmpeg. This includes VLC, Google Chrome, and many other applications. An "arbitrary code execution" is a class of vulnerability that allows you to execute code when it's not intended. A "virus" is another name for a payload that when executed replicates. Replication is trivial with an arbitrary code execution vulnerability: these bugs are pretty serious, only under privilege escalation and remote execution.

• If a vulnerability in libavcodec was found that allowed arbitrary code execution.
• And, if your media player uses libavcodec
• Then a video can deliver a virus.

Has a vulnerability of this sort been discovered? Yes. Enter CVE-2020-35964 which was fixed in Ffmpeg 4.3.1. If you're using a media player that is linked against libavcodec 4.3.0 or lower, you're potentially vulnerable. This isn't the only time this happened either... The ffmpeg project discloses the vulnerabilities found on their website. Note some are worse than the one randomly picked above, and some are minor.

tldr; the player is an executable that can link to a library or have a library statically linked in. If a vulnerability is found in that library more than one player will be vulnerable. In the case of libavcodec which has a massive amount of use in the video player ecosystem, you'll have a viable method to execute your payload (without having to craft it to a specific media player, or even operating system).

Answer 15

AVI files won't be infected with virus. When you download movies from a torrent, instead of AVI, if the movie is in a RAR package or it is as an EXE file, then surely there is a chance of virus in it.

Some of them ask you to download an additional codec from some website to view the movie. These are the suspect ones. But if it is AVI, then you can surely give iy a try playing it in your video player. Nothing will happen.

Answer 16

AVI files cannot have a virus if they are video files. While downloading your browser keeps the download in its own format that is why the antivirus detects it as a virus. When downloading the AVI file make sure after downloading the file is run in a video player if it is an invalid file then it will not play and no prices for guessing it will be a virus then.

If you try to double click and run it directly if there is a slight chance of virus then it will come out. Take precautions and you don't need antivirus software.