Is there a new virus that disguises its intent with .jpg extension?

[Ghostown]

Our organization just came across this a few days ago and decided to block
all .jpg attachments. Symantec apparently "missed" the bad guy. Any idea
what this might be? Our IT guys aren't wanting to disclose the information
(out of embarrassment I presume).

 

[Art]

Our organization just came across this a few days ago and decided to block
all .jpg attachments. Symantec apparently "missed" the bad guy. Any idea
what this might be? Our IT guys aren't wanting to disclose the information
(out of embarrassment I presume).

Old stuff:

http://www.f-secure.com/v-descs/ms04-028.shtml
http://www.internetnews.com/dev-news/article.php/1365871

Art

http://home.epix.net/~artnpeg

 

[Hoosier Daddy]

Our organization just came across this a few days ago and decided to block
all .jpg attachments. Symantec apparently "missed" the bad guy. Any idea
what this might be? Our IT guys aren't wanting to disclose the information
(out of embarrassment I presume).

A WMF (*.wmf) trojan can be named with a .jpg extension and the WMF
handler will still recognize it and execute the malware.

Google for WMF vulnerability to learn more.

IIRC .gif is also used for this type trojan.

 

[sam]

the file is not actually .JPG it shows as jpg file but it is EXE file.
if it so it is related with bagle.au which started in end dec 2005.
still it is in wild so plz update ur AV protection

 

[Don Thornton II]

Relevant articles about the WMF exploit:

http://isc.sans.org/diary.php?storyid=994
http://isc.sans.org/diary.php?storyid=996
http://isc.sans.org/diary.php?storyid=1011
http://isc.sans.org/diary.php?storyid=1016
http://isc.sans.org/diary.php?storyid=1023

Bottom line: the Windows graphics engine goes by magic bytes, not file
extensions like everything else in the Windows world, and so an exploit
could reasonably arrive as any image file extension normally handled by
Windows.

This includes .gif, .jpg, .png, .bmp, .tiff, etc. Any WMF image with
any of these extensions will be recognized and treated as .wmf images
quite happily by Windows, and an exploit will be very happily executed
without further user action on an unpatched system.

 

[Virus Guy]

Any WMF image with any of these extensions will be recognized
and treated as .wmf images quite happily by Windows,

Windows 98 does not recognize .WMF files that are re-named to some
other bitmap type (bmp, gif, etc). While viewing directory listings
with thumbnail view turned on, Win-98 will render thumbnail images of
..WMF files. However, any legit .WMF file that is re-named to some
other bitmap extension will not be thumbnail-rendered (a placeholder
image will be shown in it's place).

IE6 running on a fully updated Win-98 system will render WMF files
that are part of a web page, but if the extension has been changed to
something else (even a known type like jpg or gif) then it will launch
(if available) an alternate application to render the file (such as
Corel Photopaint or ACDSee).

exploit will be very happily executed without further user
action on an unpatched system.

WMF files created to test if a system is vulnerable (by launching the
calculator application) do not function as such on Win-98 systems.

 

[Ghostown]

Our organization just came across this a few days ago and decided to block
all .jpg attachments. Symantec apparently "missed" the bad guy. Any idea
what this might be? Our IT guys aren't wanting to disclose the
information (out of embarrassment I presume).