PC problems, recommended software, tips and tricks, coding and so forth. Things that make your life in the cyberspace easier.
A JPEG-embedded virus on the run - Read this and update your virus definition files
Madhava - Tue, 28 Sep 2004 03:41:43 +0530
For those of you who haven't updated your virus programs for a while, now is the time. Update your virus definition files immediately. There is a new virus on the run which is cleverly embedded into a regular JPEG image file.
This bulletin from Symantec offers you some technical details on the virus.
QUOTE (Symantec) |
Hacktool.JPEGShell is a Trojan horse program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability. |
Essentially, like all trojans, if allowed to infect your computer, may enable a hacker to take control of your computer. This trojan will establish outbound internet connections from your PC, possibly downloading and installing malicious software on your PC.
As a reminder, it is a very good idea to have a firewall installed, as a firewall will, even if your PC becomes infected, stop the trojan horse from accessing internet, essentially rendering it harmless as far as exploiting it goes.
braja - Tue, 28 Sep 2004 05:01:45 +0530
Although I haven't checked to see whether this can be triggered by jpegs in email, I'd still suggest switching off image loading in emails. As images in emails are sometimes used to track whether the recipient email address is valid, you'll have the side benefit of not helping spammers. Thunderbird is a great email client for avoiding viruses in general and it can be easily set up to block all images in an email. In the latest version (0.8) there is a "Show Images" button right by the header of your email so you can easily allow trusted email content to display its images but block all others.
Advaitadas - Tue, 28 Sep 2004 11:57:14 +0530
QUOTE (Madhava @ Sep 27 2004, 10:11 PM) |
For those of you who haven't updated your virus programs for a while, now is the time. Update your virus definition files immediately. There is a new virus on the run which is cleverly embedded into a regular JPEG image file.
This bulletin from Symantec offers you some technical details on the virus.
QUOTE (Symantec) | Hacktool.JPEGShell is a Trojan horse program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability. |
Essentially, like all trojans, if allowed to infect your computer, may enable a hacker to take control of your computer. This trojan will establish outbound internet connections from your PC, possibly downloading and installing malicious software on your PC.
As a reminder, it is a very good idea to have a firewall installed, as a firewall will, even if your PC becomes infected, stop the trojan horse from accessing internet, essentially rendering it harmless as far as exploiting it goes.
|
I found a Trojan plus the spyware C2 Media on my PC yesterday despite having a firewall and my weekly Fsecure update. How is that possible then? I do run a p2p program, but its winmx and you said that was safe. Is it coming from there or from downloading an infected jpeg image?
Madhava - Tue, 28 Sep 2004 16:04:39 +0530
WinMX itself is not riddled with spyware or adware. However, it is only as safe as the content you download. Virus killers rarely interfere with spyware or adware, and firewalls only block them when they try to establish inbound or outbound internet connections. You need to use a program such as SpyBot to eliminate them. This program is very likely something that has been installed when you have installed a "freeware" program of sorts. I don't think this is a case with the JPEG virus I warned people about.
Advaitadas - Tue, 28 Sep 2004 16:26:52 +0530
Could you give me examples of freeware programs? Your good self has given me Spybot to run and I run it regularly but did not detect the c2 media program. Mind you, it was on my HDD for just 2 days before I detected it with the trojan it carried. Anyway it could not be prevented by having spybot, that makes me wonder.......
Madhava - Tue, 28 Sep 2004 16:43:16 +0530
Freeware - well, with that I essentially referred to whatever you get without having to pay for it. Strictly speaking all that is free isn't freeware, but you'll often find spyware and adware supported programs given off in the name of freeware.
SpyBot doesn't actively prevent. You need to run it regularly and also update its spyware definition files. It cannot automagically keep learning of new pests. Some use both
AdAware and Spybot together to make it double sure nothing extra is there.
How did you detect this trojan, then?
Advaitadas - Tue, 28 Sep 2004 16:57:07 +0530
QUOTE |
Freeware - well, with that I essentially referred to whatever you get without having to pay for it.
|
OK but that means some program I downloaded from the web (I didnt do that for long AFAIK) or any article, picture or music file I may have downloaded?
QUOTE |
How did you detect this trojan, then?
|
Fsecure provided a popup-warning and successfully deleted it. It was at Program files, where c2 had installed itself 2 days earlier, undetected by me.
Madhava - Tue, 28 Sep 2004 17:09:04 +0530
QUOTE (Advaitadas @ Sep 28 2004, 12:27 PM) |
OK but that means some program I downloaded from the web (I didnt do that for long AFAIK) or any article, picture or music file I may have downloaded? |
Could be the outcome of clicking any .exe. bat .pif .scr . com and so forth file you've come across. The only mp3-trojan I've read about was Mac-specific. With .docs, there may be macro viruses. But generally it's something you've executed. For example, sometimes zipped stuff comes in a self-executable archive with an .exe extension. It isn't a good idea to click on it directly, but rather right-clicking and using one's zip-program to open it up, if at all uncertain over what's inside. (It might not be an archive file at all.)
This might answer the question "how":
"Discovered while downloading what was believed to be an MP3 search engine ended up to be Adware corrupting the Microsoft Internet Explorer Search engine." " FreeMP3_V3.0.exe"Some further links
here. Also:
http://www.spywareinfo.com/articles/lop/"The installer for this variant may be named mp3.exe or freemp3z.exe. These files may appear on your computer as a result of an activex script which automatically begins to download them when you load pages at certain mp3 and/or pornographic web sites. The files are digitally signed by C2Media, the company which owns the lop.com web site and software."And
http://www.doxdesk.com/parasite/lop.html :
Distribution: Installed by ActiveX from many sites, often pop-up ads.
There are often pop-up loops (pop-ups opening pop-ups endlessly) for sites claiming to be MP3 search and download tools, which try to exploit the confusion caused by this to install lop. However, lop downloaders have also appeared on some mainstream ad networks. QUOTE |
Fsecure provided a popup-warning and successfully deleted it. It was at Program files, where c2 had installed itself 2 days earlier, undetected by me. |
Are you sure it was two days earlier? Odd that it wasn't detected then. Maybe this version was something new that was only discovered after you updated your virus definition files, and this was the first time the file activated after the update.
Advaitadas - Tue, 28 Sep 2004 17:47:41 +0530
QUOTE |
Are you sure it was two days earlier? Odd that it wasn't detected then. Maybe this version was something new that was only discovered after you updated your virus definition files, and this was the first time the file activated after the update.
|
It was dated 25/9/04 in the Program Files folder. I discovered and deleted it on 27/9/04, yesterday. My weekly viruskiller update took place just half an hour ago. Could it have been such a new version?
Madhava - Tue, 28 Sep 2004 17:59:26 +0530
Well, that's the most likely explanation I can think of. They breed like anything these days. For what I read of this particular little pest, there are many, many versions out there.