Announcement

**xortam** · 26 June 2002, 09:38

I haven't run into that but I read an article the other day which talks about viruses being spread by JPEG files. The JPEG viruses need a separate launcher.

**[Ch]amsalot** · 26 June 2002, 10:48

GT,

Are you sure that it wasn't something like .gif.vbs or .gif.js?

-[Ch]ams

From McAfee Avert FAqs:

Domain Registered at Safenames

http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/faqs.asp

11. Can JPG, GIF, etc be infected?

When these files are internally the JPG or GIF files for example, these are specific types of data files, and have no executable code or macros in them. They cannot be infected with viruses. However, worms and trojans will sometimes make it appear as though their files are harmless data files by adding an extension such as JPG before its true extension. Or else, once a trojan or worm has been run, they will change the file associates for common data-file extensions to run its own executable code. However, the file internally will be executable code rather than data as in a true JPG or GIF file.

-[Ch]ams

**GT98** · 26 June 2002, 11:00

If I remember right the extention was like this filename.gif[1] and after the bracket it was cut off due to the pop up window.

**[Ch]amsalot** · 26 June 2002, 11:07

Well, Norton flagging it is a good thing. You're probably safe. Do you know how to check files that loadup on startup in the registry?

You may also want to check what services are running (win2k/xp).

Wish I could help more...

-[Ch]ams

**xortam** · 26 June 2002, 13:23

Originally posted by [Ch]amsalot
... When these files are internally the JPG or GIF files for example, these are specific types of data files, and have no executable code or macros in them. ...

That's the traditional thinking but new viruses have reportedly found a way to imbed code into the JPEG files and execute it from an external launcher. This is a recent development.

**[Ch]amsalot** · 26 June 2002, 13:29

From my understanding, they are not embedded in jpgs. Rather, file associations are modified such that .jpgs are run as executables.

However, if what you're saying is true, that's certainly a new and scary thought. Do you have any links to this?

-[Ch]ams

**Wombat** · 26 June 2002, 13:41

I remember reading about this as well. Somebody actually found a hole in the jpeg processing libraries, but I don't know if it amounted to anything more than a buffer overflow.

**xortam** · 26 June 2002, 13:46

I searched for where I saw the article when I originally replied but I couldn't locate the article. I think it was in a Bay Area paper in the last few weeks.

**Gurm** · 26 June 2002, 14:12

*ahem*

In my experience, news papers and programs on TV are less well informed than the average schmuck. In other words, it's a hoax. TRUST me on this one.

- Gurm

**xortam** · 26 June 2002, 14:56

Its certainly possible to imbed code as data in a JPEG file. Look at the use of digital watermarks and the fed's concern over covert communications embedded in digital pictures. Why wouldn't a virus writer develop a way to exploit this capability?

**djroberts** · 26 June 2002, 15:03

Ya know. My cousin said to start wearin rubber gloves when smurfing for prOn on the internet . She was right!

Dang now people are ketchin viruses and stuff from those pictures

dj

**xortam** · 26 June 2002, 15:09

Originally posted by Gurm
... In other words, it's a hoax. TRUST me on this one.

No its not!

A simple Google search pulled up the article as the first hit. Here it is.

W32/Perrun description on Network Associate site

Method Of Infection
The virus arrives in the form of a 11,780 byte PE file. When run on the victim machine, the 5,636 byte extractor component (EXTRK.EXE) is dropped (to the current directory). Both files are written in Visual Basic 6, and packed with UPX. The following Registry key is modified in order that JPEG file execution is hooked:

HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Subsequently, when JPEG files are executed, the extractor component checks if the file is infected. If so, the virus body is extracted and executed. Only JPEGs in the current directory are infected, and only one file is infected per cycle. The extractor then attempts to display the JPEG using a system DLL.

The .b variant uses the filename TEXTRK.EXE for the extractor component and the registry key modified is:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

az · 26 June 2002, 18:33

The way I understand this, the real virus about that is the extractor, and opening the JPGs on an uninfected machine wouldn't do anything? If so, this isn't really new... If not, it's scary

AZ

**xortam** · 26 June 2002, 19:07

Its a multi-component virus which requires both the extractor and the infected JPEG file to do its nasty deed.

Announcement

Virus from a .GIF file?

Virus from a .GIF file?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment