by LURHQ Threat Intelligence Group
September 28, 2004
***JPEG “Virus” Facts***
A great deal of attention is being paid to a supposed “JPEG virus” discovered in a couple of Usenet postings. Because many people are still not familiar with the workings of the current MS04-028 exploits, much misinformation is being spread in public forums. This advisory is being sent to clear up the facts surrounding this posted JPEG exploit. If you have been following Threat #49 in the LURHQ Sherlock Enterprise Security Portal (MS04-028 Jpeg Comment Buffer Overflow Analysis), you may already be aware of most of this information.
Here are the simple details of this incident:
-It’s not a virus. The posted JPEG is actually a trojan downloader. It has no ability to spread on its own.
-It only affects users with Windows XP Service Pack 1.
-It’s does not automatically execute on reading the message. The JPEG must be saved into a local folder, then the mouse pointer must be moved over the JPEG file’s icon.
-The file is detected by all major antivirus engines with current virus definition files. Because of the nature of the JPEG format, it is impossible to disguise an infected JPEG file. So current signatures should detect ALL future attempts to exploit this vulnerability.
Read more of the “facts” at http://www.lurhq.com/jpegvirus.html