San Francisco Man Stops Using his Smart Phone

On Fri, 03 Feb 2012 18:13:57 -0800, SMS wrote:

> On 2/1/2012 8:18 PM, tlvp wrote:
>
>> Paul, I think mikeyhsd had a little trouble with a defective RoT-13 routine
>> mis-decoding .mp3 into .exe :-) . Could happen to anyone, ya know?
>
> I mentioned ROT13 encoding at an Android developer workshop I was giving
> today. Only 2 out of 7 people knew what it was.

Mmm ... at a Postal ZIP code developer workshop, you might have done a mite
better, with two out of five :-) .

Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.

---

› See More: San Francisco Man Stops Using his Smart Phone

mikey, can you explain the vector by which a Windows system downloading the
posted .mp3 file would execute it as an .exe?

I assume that a trojan could load a .dll hidden inside of a data format and
then execute that, but you would need to already have the active trojan
loaded in your system at time of download?

--
W

"mikeyhsd" <[email protected]> wrote in message
news:[email protected]...
I already run MS SE, have been since beta.

have run super anti spyware, and several others recently.

nothing found EVER.

there is NOTHING wrong with my system.

you are just upset because you got caught.




mikeyshd

"SMS" <[email protected]> wrote in message
news:[email protected]...
On 2/2/2012 3:37 PM, Paul Miner wrote:
> On Thu, 2 Feb 2012 17:20:09 -0600, "mikeyhsd"<[email protected]>
> wrote:
>
>> there is NO mistake.
>>
>> all the mp3's on my computer register as MP3 except for the EXE file you
tried to foster on the public.
>
> Since you seem to be the only person who is being redirected to
> another resource, an EXE file in your case, you might want to check
> for browser hijacks or other exploits on your system. For the rest of
> us, it was a simple mp3 audio file.

He could definitely have some malware or a browser exploit on his system
if an mp3 file shows up as a .exe file, presuming he's telling the truth
rather than simply trolling.

Unfortunately the malware on his system may not let him install and run
anti-malware software like MalwareBytes or Microsoft Security
Essentials. I've seen systems where the only way to get around that was
to take the disk drive out of the system and plug it in as an external
drive to another system that already had the anti-malware software
installed, and then scan the external drive and remove the malware.

If it's a browser exploit he could try a different browser to see if it
still shows up as a .exe.

Whatever the cause, he should get his system looked at by a professional
who can figure out the cause of the problem.

"SMS" <[email protected]> wrote in message
news:[email protected]...
> On 2/1/2012 4:58 PM, Paul Miner wrote:
> > On Wed, 1 Feb 2012 17:41:27 -0600, "mikeyhsd"<[email protected]>
> > wrote:
> >
> >> looking at the attachment it did indeed have an EXE extension.
> >>
> >> case closed.
> >
> > Case opened.
> >
> > Here's the link that started all of this:
> >
<http://www.kqed.org/.stream/anon/radio/forum/2012/01/2012-01-27b-forum.mp3>
> >
> > Note that there is an mp3 extension, not an exe extension. The mp3
> > extension indicates a well known audio format, not any kind of
> > executable file. It's completely unknown where you got the idea that
> > there was an exe extension involved.
> >
> > Case closed again.
>
> Thanks, but explaining it to him is apparently hopeless. He wants to
> think that a .mp3 file is a .exe file and the facts have no bearing on
> his beliefs.
>
> What likely happened is that he read somewhere that you should never
> open unknown files because they could be executable files that contain
> viruses, and he extrapolated this advice into the notion that every
> unknown file must be a .exe file regardless of the extension. Now he
> needs to spread this "knowledge" around.

I did not look at the MP3 that is the subject of this thread, so what
follows is just general discussion relevant to this context.

My understanding of how a virus transmission via MP3 file could work is
something like the following:

1) You go to a page with an exploit loaded on the page. Obviously that
assumes you have a particular browser or release of a particular release
that is subject to the exploit. There are known cases of browser exploits
that can execute under Windows with SYSTEM authority even though the user
was browsing from a non privileged account. Microsoft tries to repair
those exploits when found, but these are complex pieces of software, and the
bad guys keep finding loopholes.

Also, let's not forget that MANY MANY users who run Windows XP do so in an
Administrator security context, making life that much easier for an exploit.
I once read a "security" article in a major publication in which the
author - a known "security" expert - said that he had to run Windows XP as
Administrator because it was too difficult to use any other way. Right.

2) You innocently download what you believe to be a data file, in this case
an MP3. But such MP3 would actually be a DLL or EXE for a full TROJAN.
When you go to play the MP3 it would complain of an unknown format.

3) The exploit then manages to invoke a system EXE through the exploit
interface that loads the MP3 as data and then executes it as a DLL or EXE.

A lot of things have to be simultaneously true for this exploit to work, but
in general it could be done.

There isn't enough information in mikey's posts to understand what he found
that leads him to conclude the MP3 contains malware or executable code.


> In this case, a .mp3 file from one of the largest radio stations in the
> country was obviously safe.

I would never assume that a data file from a radio station was checked for
viruses.

--
W

On 2/4/2012 2:03 PM, W wrote:

<snip>

> There isn't enough information in mikey's posts to understand what he found
> that leads him to conclude the MP3 contains malware or executable code.

That's true, but since as everyone found out, since that file was simply
a .mp3, it's pretty obvious that he has some sort of malware on his
system that's redirecting him to some mystery .exe file. That is of
course if he's telling the truth. He may just be trolling.

On 2/4/2012 1:48 PM, W wrote:
> mikey, can you explain the vector by which a Windows system downloading the
> posted .mp3 file would execute it as an .exe?
>
> I assume that a trojan could load a .dll hidden inside of a data format and
> then execute that, but you would need to already have the active trojan
> loaded in your system at time of download?

It's more likely that he has a browser exploit that re-directs whenever
the user clicks on a .mp3. Especially since as everyone else that has
looked at that .mp3 realizes that it's just an .mp3.

What's rather sad is that he has a problem with his system but he's too
stubborn to admit it. Of course the actual explanation is much more
likely--he's just making the whole thing up to be annoying! Thankfully,
Thunderbird has good filters on their Usenet reader.

"SMS" <[email protected]> wrote in message
news:[email protected]...
> From San Francisco's SF Sketchfest Comedy Festival
>
> <http://www.kqed.org/.stream/anon/radio/forum/2012/01/2012-01-27b-forum.mp3>
> at 7 minutes 20 seconds.

Thanks and I heard the part at 7 minutes 20 seconds and it was pretty good.
Too bad someone thought an MP3 was an EXE.

On 2/6/2012 4:59 AM, Roger 2008 wrote:
> "SMS"<[email protected]> wrote in message
> news:[email protected]...
>> From San Francisco's SF Sketchfest Comedy Festival
>>
>> <http://www.kqed.org/.stream/anon/radio/forum/2012/01/2012-01-27b-forum.mp3>
>> at 7 minutes 20 seconds.
>
> Thanks and I heard the part at 7 minutes 20 seconds and it was pretty good.
> Too bad someone thought an MP3 was an EXE.

Actually it's highly unlikely that he thought that. It's likely that he
read somewhere to never click on unknown links which can be good advice
if you're an inexperienced computer user because the links could be
executables that can harm your computer (actually this is unlikely if
you have decent AV and Malware software installed). He was trying to
"help" people, not realizing that, in general, Usenet users are pretty
savvy and can tell the difference between an audio file and an
executable. It's also possible that he has some malware in the form a
browser exploit on his system, and that it's redirecting him to some
rogue .exe.

What he should do is to take a screen shot of the redirect and upload a
jpg of it to <http://tinypic.com/> and let us look at it so we could
advise him of what his problem is. Alas he'll probably think that
<http://tinypic.com/> is an executable as well!

"SMS" <[email protected]> wrote in message
news:[email protected]...
> On 2/6/2012 4:59 AM, Roger 2008 wrote:
>> "SMS"<[email protected]> wrote in message
>> news:[email protected]...
>>> From San Francisco's SF Sketchfest Comedy Festival
>>>
>>> <http://www.kqed.org/.stream/anon/radio/forum/2012/01/2012-01-27b-forum.mp3>
>>> at 7 minutes 20 seconds.
>>
>> Thanks and I heard the part at 7 minutes 20 seconds and it was pretty
>> good.
>> Too bad someone thought an MP3 was an EXE.
>
> Actually it's highly unlikely that he thought that. It's likely that he
> read somewhere to never click on unknown links which can be good advice if
> you're an inexperienced computer user because the links could be
> executables that can harm your computer (actually this is unlikely if you
> have decent AV and Malware software installed). He was trying to "help"
> people, not realizing that, in general, Usenet users are pretty savvy and
> can tell the difference between an audio file and an executable. It's also
> possible that he has some malware in the form a browser exploit on his
> system, and that it's redirecting him to some rogue .exe.
>
> What he should do is to take a screen shot of the redirect and upload a
> jpg of it to <http://tinypic.com/> and let us look at it so we could
> advise him of what his problem is. Alas he'll probably think that
> <http://tinypic.com/> is an executable as well!

And I also forgot to thank you for using the full URL in your first post.
Thanks. Yes, I hate those links that says stuff like tinyurl etc.

Now what I'm doing on ATTWS is I want to know if the release date for the
AT&T Galaxy Note will really be February 19, 2012.

Rocky

On 2/6/2012 8:40 AM, Roger 2008 wrote:

> And I also forgot to thank you for using the full URL in your first post.
> Thanks. Yes, I hate those links that says stuff like tinyurl etc.

Tinyurls can be dangerous, but a lot of people don't know how to use a
long URL on Usenet in a way that it doesn't get chopped up (enclosing it
in <>) so they use a tinyurl instead. What's better to do with tinyurl
is to post the preview link so someone that clicks on it can see where
it redirects to prior to deciding whether to go there or not. Alas, for
those people that believe that a .mp3 is a .exe, that's not going to
help them anyway.

I can't believe that the posting of a simple audio file that was an
amusing bit about smart phones actually turned into such a ridiculous
thread. But such is Usenet and newbies.

On Mon, 06 Feb 2012 07:25:49 -0800, SMS wrote:

> ... Alas he'll probably think that
> <http://tinypic.com/> is an executable as well!

Obviously -- what .com file *isn't* an executable :-) ?

Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.

On 2/6/2012 11:07 PM, tlvp wrote:
> On Mon, 06 Feb 2012 07:25:49 -0800, SMS wrote:
>
>> ... Alas he'll probably think that
>> <http://tinypic.com/> is an executable as well!
>
> Obviously -- what .com file *isn't* an executable :-) ?
>
> Cheers, -- tlvp

LOL, unlikely since he would know that because it was so long ago.

However there is actually something to the .com file thing since prior
to 64 bit versions of Windows, Windows would execute a DOS .com file
just fine. Primitive virus writers would name virus files things like
"paint.com" and since if there are both .com and .exe files the .com
file will execute if the user types in just the file name without the
extension, and they hoped that the user would run in a DOS window and
run paint.com.

You can still execute a .com file in 64 bit Windows using DOSBox, but I
don't know if you could launch a virus that way since it's more of a
virtual machine.

On Tue, 07 Feb 2012 09:52:43 -0800, SMS wrote:

> On 2/6/2012 11:07 PM, tlvp wrote:
>> On Mon, 06 Feb 2012 07:25:49 -0800, SMS wrote:
>>
>>> ... Alas he'll probably think that
>>> <http://tinypic.com/> is an executable as well!
>>
>> Obviously -- what .com file *isn't* an executable :-) ?
>>
>> Cheers, -- tlvp
>
> LOL, unlikely since he would know that because it was so long ago.
>
> However there is actually something to the .com file thing since prior
> to 64 bit versions of Windows, Windows would execute a DOS .com file
> just fine. Primitive virus writers would name virus files things like
> "paint.com" and since if there are both .com and .exe files the .com
> file will execute if the user types in just the file name without the
> extension, and they hoped that the user would run in a DOS window and
> run paint.com.
>
> You can still execute a .com file in 64 bit Windows using DOSBox, but I
> don't know if you could launch a virus that way since it's more of a
> virtual machine.

Heck, the command prompt itself, in earlier versions of Windows, was
command.com, not cmd.exe :-) . Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.