I was just reading that information inherent in a wmv file can execute
other files (see below). Is there any way to determine if there's code in
a wmv file before opening it with WM Player or Media Player Classic (or
another program)?








http://www.geocities.com/ResearchTri.../eng/safe.html


> There is also an issue regarding Windows Media Player, which under some
environments may allow any media file which is opened by Windows Media
Player to execute some local files (depending on their extensions, but
including some executable extensions) as long as the name and path of the
file are given in that media file. The issue, has to do with the ability of
..wmv files to refer to an Internet address (the accurate term should be URL
rather than "Internet address"). This address can also be a location of a
local file in the computer. In such a case, the wmv file can instruct
Windows Media Player to execute a local executable file, as long as the
location and name of the file are given in the .wmv file. As you should
already know, the WMV file may have any extension as long as it is opened
by Windows Media Player. There is a way to block an exploitation of this
security hole, and it involves tweaking the registry keys. The instruction
is relevant to Internet Explorer versions 4 and above. It has to do with
disabling the "Download unsigned ActiveX controls", in the "My Computer"
security zone.
>
> We shall not give here full explanation, but only comment that this
activity is done with the help of components from Internet Explorer. The
needed tweaking is to use a registry editor, and in the following
> registry key:
> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
> to change the value of the "1004" entry to contain a DWORD value of 3.
> ("HKCU" stands for HKEY_CURRENT_USER).

On Feb 22, 2:16 am, janedough250...@dontsendhotmail.com wrote:
> I was just reading that information inherent in a wmv file can execute
> other files (see below). Is there any way to determine if there's code in
> a wmv file before opening it with WM Player or Media Player Classic (or
> another program)?

Read this thread:

http://www-gatago.com/comp/security/misc/16265498.html

cheers,

geothermal

(E-Mail Removed) wrote:
> I was just reading that information inherent in a wmv file can execute
> other files (see below). Is there any way to determine if there's
> code in a wmv file before opening it with WM Player or Media Player
> Classic (or another program)?
>
>
>
>
>
>
>
>
> http://www.geocities.com/ResearchTri.../eng/safe.html
>
>
>> There is also an issue regarding Windows Media Player, which under
>> some
> environments may allow any media file which is opened by Windows Media
> Player to execute some local files (depending on their extensions, but
> including some executable extensions) as long as the name and path of
> the file are given in that media file. The issue, has to do with the
> ability of .wmv files to refer to an Internet address (the accurate
> term should be URL rather than "Internet address"). This address can
> also be a location of a local file in the computer. In such a case,
> the wmv file can instruct Windows Media Player to execute a local
> executable file, as long as the location and name of the file are
> given in the .wmv file. As you should already know, the WMV file may
> have any extension as long as it is opened by Windows Media Player.
> There is a way to block an exploitation of this security hole, and it
> involves tweaking the registry keys. The instruction is relevant to
> Internet Explorer versions 4 and above. It has to do with disabling
> the "Download unsigned ActiveX controls", in the "My Computer"
> security zone.
>>
>> We shall not give here full explanation, but only comment that this
> activity is done with the help of components from Internet Explorer.
> The needed tweaking is to use a registry editor, and in the following
>> registry key:
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
>> Settings\Zones\0 to change the value of the "1004" entry to contain
>> a DWORD value of 3. ("HKCU" stands for HKEY_CURRENT_USER).

That's what a good anti-virus program is for. (or process guard or the paid
version of kiero) Note the link you provided is nearly 5 years old.

--
Mike Pawlak

From: <(E-Mail Removed)>

| I was just reading that information inherent in a wmv file can execute
| other files (see below). Is there any way to determine if there's code in
| a wmv file before opening it with WM Player or Media Player Classic (or
| another program)?
|
| http://www.geocities.com/ResearchTri.../eng/safe.html
|
>> There is also an issue regarding Windows Media Player, which under some
| environments may allow any media file which is opened by Windows Media
| Player to execute some local files (depending on their extensions, but
| including some executable extensions) as long as the name and path of the
| file are given in that media file. The issue, has to do with the ability of
| .wmv files to refer to an Internet address (the accurate term should be URL
| rather than "Internet address"). This address can also be a location of a
| local file in the computer. In such a case, the wmv file can instruct
| Windows Media Player to execute a local executable file, as long as the
| location and name of the file are given in the .wmv file. As you should
| already know, the WMV file may have any extension as long as it is opened
| by Windows Media Player. There is a way to block an exploitation of this
| security hole, and it involves tweaking the registry keys. The instruction
| is relevant to Internet Explorer versions 4 and above. It has to do with
| disabling the "Download unsigned ActiveX controls", in the "My Computer"
| security zone.
>>
>> We shall not give here full explanation, but only comment that this
| activity is done with the help of components from Internet Explorer. The
| needed tweaking is to use a registry editor, and in the following
>> registry key:
>> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
>> to change the value of the "1004" entry to contain a DWORD value of 3.
>> ("HKCU" stands for HKEY_CURRENT_USER).

As Mike indicated that is what Anti Virus softqwasre is for. If you don't scann all file
types then make sure WMV files are scanned.

Any file can be named anyrhing and can still be used via the registry even if the file
extension is not a executable file. However, you have more to worry about a Wimad Trojan
where the WMV explots the Windows Media Player DRM to download and install malware. A
tactic the Zango/180Solutions is well known for.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm