• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

A virus within a JPEG

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2, 3  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
Invision
Just Arrived
Just Arrived


Joined: 14 Oct 2003
Posts: 0


Offline

PostPosted: Sun Mar 14, 2004 4:47 pm    Post subject: Reply with quote

Now Why would you click on that link
Back to top
View user's profile Send private message MSN Messenger
Zarnick
Just Arrived
Just Arrived


Joined: 27 Mar 2003
Posts: 1
Location: Brazil

Offline

PostPosted: Sun Mar 14, 2004 6:51 pm    Post subject: Reply with quote

I guess you could download it and execut it with some kinda notepad, than thath should be fine...However clicking on the link will execute the HTML malicious script, so please everybody, DON'T Click on the link.

Thx
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Mar 14, 2004 7:18 pm    Post subject: Reply with quote

Well, now it's a bit too late for Crazy... Zarnick, please, when you post a dangerous link, alter it so that it doesn't become a link, you could make it something like: "members DOT lycos DOT co DOT uk SLASH janette18 SLASH me DOT jpg" for instance (or at least wrap it in Code tags like JustinT did). That'll at least keep the more compulsive clickers safe.

As for the danger in it, of course if you open it from within a browser (I believe, by glancing at the code, that it will only affect IE) you will load and execute whatever those 6.php and 5.php do... Which, in this case, seem to be infecting you with a virus. The file itself is a simple text file (as me posting it's contents verifies), but obviously if run in a browser (which is meant to execute HTML scripts) it can be dangerous.

This is yet another reminder to always make sure what you're clicking on... When in doubt, save to disk then open from another program (other than your browser). To avoid getting infected by this script, one could just save the "me.jpg" file to disk, then open it with a picture viewer (such as ACDSee). The picture viewer won't know anything about HTML (unless it's an overbloated crapware), and will just show a black screen, or say "file corrupted" or whatever.

As for helping Crazy get rid of the virus, I really can't be of much help... Don't know exactly what the virus does (and don't feel like infecting myself to find out either, sorry). Try searching in Google, or updating your anti-virus definitions and perform a full scan of all your drives.

Note: Perhaps some moderator should edit Crazy's own post, where he included the link to the virus in his quote?
Back to top
View user's profile Send private message
Crazy
Just Arrived
Just Arrived


Joined: 11 Nov 2003
Posts: 6


Offline

PostPosted: Sun Mar 14, 2004 7:39 pm    Post subject: Reply with quote

I dowload that file And when I am trying to open it by Notepad " Something Happen " The file is not Exist on my desktop and when I am trying to open Regedit to see what is been added or by file name It close in sec the same with taskmanger and Msconfig Now I am trying to Update and remove it
thanks capi
Back to top
View user's profile Send private message Visit poster's website
Zarnick
Just Arrived
Just Arrived


Joined: 27 Mar 2003
Posts: 1
Location: Brazil

Offline

PostPosted: Sun Mar 14, 2004 7:48 pm    Post subject: Reply with quote

capi wrote:
Well, now it's a bit too late for Crazy... Zarnick, please, when you post a dangerous link, alter it so that it doesn't become a link, you could make it something like: "members DOT lycos DOT co DOT uk SLASH janette18 SLASH me DOT jpg" for instance (or at least wrap it in Code tags like JustinT did). That'll at least keep the more compulsive clickers safe.


Actually...the link isn't mine.....I was just fixating the idea of DON'T clicking on the link, and dowload it and oppen with some notepad.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Invision
Just Arrived
Just Arrived


Joined: 14 Oct 2003
Posts: 0


Offline

PostPosted: Sun Mar 14, 2004 8:53 pm    Post subject: Reply with quote

If you don't know how to work with virus DO NOT CLICK ON THE LINK

We know we're all curious but it can be DANGEROUS.
Back to top
View user's profile Send private message MSN Messenger
andariel
Just Arrived
Just Arrived


Joined: 08 Jan 2004
Posts: 0


Offline

PostPosted: Sun Mar 14, 2004 9:03 pm    Post subject: Reply with quote

Hey, I haven't seen anything like this before.
Does this mean EVERYWHERE you surf, there is a threat of getting infested and your AV can't catch this ?
This makes a BIG security problem.
How can we get protected ?
Thanx, andariel
Back to top
View user's profile Send private message Yahoo Messenger
Toblopo
Just Arrived
Just Arrived


Joined: 02 Feb 2004
Posts: 0
Location: Australia

Offline

PostPosted: Mon Mar 15, 2004 12:24 am    Post subject: Reply with quote

Would there be any Threat from opening the file on a Deep Freeze computer? because although i do not believe there is, and i have seen deep freeze recover from a fair few things, im not 100% that it will not be infected.

andariel: HTML coding can do some nasty stuff, specially when combined with other programs and scripts. There is always the danger that the site you visit while casually surfing will have a virus, You've more than likely caught some spyware (which seems to be everywhere these days) from just browsing. Although it does nothing but annoys the same princible can be used with viruses. Make sure you have a good Virus scanner and that you keep it up to date. Back up any data you dont wish to loose Frequently and make a hard copy For example CDs, removeable hard drives. If you can print it make it so. Stuff like that.
Back to top
View user's profile Send private message MSN Messenger
vG
Just Arrived
Just Arrived


Joined: 21 Jul 2003
Posts: 0
Location: Serbia

Offline

PostPosted: Mon Mar 15, 2004 12:29 am    Post subject: Reply with quote

Sorry for any troubles that I have made. But I didn't think that anybody will just click on that link or type it in his browser. I said, THIS WILL INFECT YOU!
Sad Sorry, again... Sad

Now, about the virus:

The link above will download "bots[1].exe" file... copy it in your "temporary internet files" folder and execute it...
I don't know what will this file do to your computer but I think the virus name is "W32/Spybot.gen.worm", so try to find some more info. BUT, again... I don't know for sure if this is the virus name, I'm just guessing.

How to remove it?
My updated Panda AV found the exe file and removed it. Not sure for any other AV software... Also, try to find the file I gave you (bots[1].exe).

Hope this helped!
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Mar 15, 2004 5:44 am    Post subject: Reply with quote

Zarnick wrote:
Actually...the link isn't mine.....I was just fixating the idea of DON'T clicking on the link, and dowload it and oppen with some notepad.

You're absolutely right, my appologies - I obviously meant to address the person who posted the link (vG).

As for which platforms should be safe from this "virus", I would say at least Linux... The virus places a Windows .exe file, which simply won't run under Linux. Furthermore, you can get the file with a less bloated tool like wget (not a full-fleged browser, doesn't try to execute the HTML code, it just saves it) - which is what I did. Or you could just right click on the link and choose Save Target, which I just tested on Mozilla 1.6 and it worked fine: it saved the me.jpg file for me, then I opened it with a normal everyday text editor (joe, notepad, kedit, whatever you want) and saw the HTML code. I haven't tested it on IE but it should work the same, there's no reason for it to open the file if all you told it to do was save it (but then again who can trust IE? Laughing).

andariel: indeed the situation is something like that. We can protect ourselves from some things in some ways, it's a matter of usability/security compromise. You could disable ActiveX (or set it to prompt), that's a big way someone could affect you, Java or Javascript might benefit from some restricting as well, the problem is almost every page nowadays has some form of Javascript (the fancy menus, rollover thingies, etc) - if you set it to prompt you'll become annoyed quickly, and if you disable it you'll miss out on alot of features from the sites you visit. In any case what would seem to me a reasonable compromise could be: have ActiveX on prompt, Java set to the highest security possible (on the IE settings), and Javascript I'd just enable it (haven't seen a Javascript that actually does anything bad yet). Then you have the other stuff such as php etc, it seems this virus uses php to somehow plant the exe on your computer (judging from the contents of the "me.jpg" file - see previous post by me).

As for avoiding something like what this virus does (the php stuff), I can't really say - I don't really know php or how this may have been done. Basically what I'd recommend is be careful which sites (or links) you follow, kind of like walking on the street: don't venture into the bad neighbourhoods, or at least be careful if you do. Don't go clicking around like crazy on everything you see - especially if it's some non-requested file like "hey look at this cool pic: blabla.com/someguy.jpg", you're better off saving the file without opening it and looking at it with some viewer other than your browser. To do this, you could right-click on the link and choose "Save Target As..." or whatever the option is called in your browser. That way, the file would get saved to disk without actually being opened in your browser - which is where the problem is, browsers and their blasted stupid tendency to try and be "smart" and say "oh, this thing is named like a JPG but actually it's got HTML code inside, let's run it silently without telling the user and see what happens". It couldn't just give an error like "this file isn't an actual JPEG or it's corrupt", now could it? Way to deceive their own users...
Back to top
View user's profile Send private message
hugo
Forum Fanatic
Forum Fanatic


Joined: 14 Jun 2003
Posts: 16777215
Location: Netherlands, Europe

Offline

PostPosted: Mon Mar 15, 2004 9:43 am    Post subject: Reply with quote

To put it in simple terms; a JPEG file is just a data-file.

In usual situations the JPEG contains absolutely no executable content, because every JPEG interpreter will read the file and extract the bitmap. As long as the OS sees it's an image it should handle it as an image. In some situations (*cough* Windows *cough*) it is possible to trick the OS into thinking it's downloading a JPEG while in fact it is really an EXE, and the OS will handle it like an EXE (ouch!). That is not a real JPEG file so isn't really relevant because that isn't what we're discussing. Smile

The **only** situation in which a JPEG can cause an infection, is when the JPEG interpreter of the application or operation system is buggy and doesn't read the file like it is supposed to, or doesn't correctly handle errors if it gets wrong input.

Then, and only then will it be possible to get infected through a JPEG (or any other data-file).

A data file (JPEG, .txt, etc.) can contain a virus (through steganography or such), but even then, like the word suggests, it only contains the virus. Without a certain utility it will be impossible to let the OS grab the virus and execute it.

To make a simple analogy; a text-file can contain a virus, but opening the text-document in a text-editor will not execute it.
Back to top
View user's profile Send private message
Zarnick
Just Arrived
Just Arrived


Joined: 27 Mar 2003
Posts: 1
Location: Brazil

Offline

PostPosted: Mon Mar 15, 2004 1:28 pm    Post subject: Reply with quote

Ok, so let's get this straight, a virus within a JPEG file will only infect the computer IF the JPEG file viewer is bugged and allow the execution of arbitrary code in an image file. Ok, but does IE have this kinda bug?

And wouldn't it be possibly to do a heap overflow?Independent of the viewer?
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Yousof
Just Arrived
Just Arrived


Joined: 06 Dec 2003
Posts: 0
Location: Australia

Offline

PostPosted: Sat Mar 20, 2004 2:43 pm    Post subject: Reply with quote

I tried to open the file and that what I have got:

Filename: readme[1].txtpyk.exe

Twisted Evil
Back to top
View user's profile Send private message
Crazy
Just Arrived
Just Arrived


Joined: 11 Nov 2003
Posts: 6


Offline

PostPosted: Tue Mar 23, 2004 5:39 pm    Post subject: Reply with quote

Ok I can Make Something like this
Server Apache And Make some Change on httpd.con File On Apache
search for *.Php Extension And make this
Code:
ScriptAlias /cgi-bin/ "C:/Apache/Apache2/cgi-bin/"
ScriptAlias /php/ "C:/Apache/PHP/"
AddType application/x-httpd-php .php .php3 .mp3
Action application/x-httpd-php "/php/php.exe

With this I can Make sone Fake file It appears like Mp3 but it`s not

It`s so bad to make this from some guys Mad

Any way be careful and use save-target as with some file you want to download

Sad
Back to top
View user's profile Send private message Visit poster's website
Anub!$
Just Arrived
Just Arrived


Joined: 23 Sep 2003
Posts: 1
Location: Computer Chair

Offline

PostPosted: Tue Mar 23, 2004 5:51 pm    Post subject: Reply with quote

Does not the download and execution of that file depend on what browser you are using Wink
Back to top
View user's profile Send private message
Zarnick
Just Arrived
Just Arrived


Joined: 27 Mar 2003
Posts: 1
Location: Brazil

Offline

PostPosted: Wed Mar 24, 2004 2:51 am    Post subject: Reply with quote

Yes, and no, if you do a save as, then YOU choose how to run the file(of course), however if you just click(like most people do), then it depends on the browser, and the file MAY(change it for WILL) have a bug for your browser(let's say IE?hehe Wink ), and will execute malicious code.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Goto page Previous  1, 2, 3  Next
Page 2 of 3


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register