JPEG "Virus" Facts

• URL: http://www.secureworks.com/research/threats/jpegvirus
• Date: September 28, 2004
• Author: Joe Stewart

***JPEG "Virus" Facts***

A great deal of attention is being paid to a supposed "JPEG virus" discovered in a couple of Usenet postings. Because many people are still not familiar with the workings of the current MS04-028 exploits, much misinformation is being spread in public forums. This advisory is being sent to clear up the facts surrounding this posted JPEG exploit. If you have been following Threat #49 in the SecureWorks Portal (MS04-028 Jpeg Comment Buffer Overflow Analysis), you may already be aware of most of this information.

Here are the simple details of this incident:

1. It's not a virus. The posted JPEG is actually a trojan downloader. It has no ability to spread on its own.
2. It only affects users with Windows XP Service Pack 1.
3. It's does not automatically execute on reading the message. The JPEG must be saved into a local folder, then the mouse pointer must be moved over the JPEG file's icon.
4. The file is detected by all major antivirus engines with current virus definition files. Because of the nature of the JPEG format, it is impossible to disguise an infected JPEG file. So current signatures should detect ALL future attempts to exploit this vulnerability.

Usenet newsgroups have a long history of virus/trojan postings. Malware authors have used many tricks over the years to entice readers of newsgroups to click on malicious files. This is just an extension of those attacks, and does not pose any greater risk (it's actually less effective than some other methods, such as the double-extension-with-spaces filename trick). Usenet is a specialized service on the Internet, and tends to cater to long-time users who are wary of these things. The majority of your Internet users today probably don't even know how to utilize Usenet groups - making the total risk even smaller. A larger risk might be JPEG files found on P2P networks.

Even though this particular incident is fairly insignificant, there may be future improvements on the MS04-028 exploits which may allow JPEGs to be executed directly upon viewing a website. Users and companies who are worried about malicious JPEGs should be taking the following steps:

1. Ensure that gateway and desktop anti-virus engines are up-to-date with the latest virus definitions.
2. Install recommended patches from Windows Update on all non-XP workstations using Internet Explorer 6.0 SP1,Office 2003,Visio or any of the other programs listed in the MS04-028 bulletin.
3. Install recommended patches from Windows Update on all workstations using Windows XP SP1.
4. Formulate a plan to eventually move all XP-based systems to SP2 - there are vast security improvements that make the upgrade very much worthwhile. Buffer-overflow exploits will be tremendously harder to write for XP SP2, and the default firewall settings should improve the current security landscape vastly.