A great deal of attention is being paid to a supposed "JPEG virus" discovered in a couple of Usenet postings. Because many people are still not familiar with the workings of the current MS04-028 exploits, much misinformation is being spread in public forums. This advisory is being sent to clear up the facts surrounding this posted JPEG exploit. If you have been following Threat #49 in the LURHQ Sherlock Enterprise Security Portal (MS04-028 Jpeg Comment Buffer Overflow Analysis), you may already be aware of most of this information.
Here are the simple details of this incident:
- It's not a virus. The posted JPEG is actually a trojan downloader. It has no ability to spread on its own.
- It only affects users with Windows XP Service Pack 1.
- It's does not automatically execute on reading the message. The JPEG must be saved into a local folder, then the mouse pointer must be moved over the JPEG file's icon.
- The file is detected by all major antivirus engines with current virus definition files. Because of the nature of the JPEG format, it is impossible to disguise an infected JPEG file. So current signatures should detect ALL future attempts to exploit this vulnerability.
Usenet newsgroups have a long history of virus/trojan postings. Malware authors have used many tricks over the years to entice readers of newsgroups to click on malicious files. This is just an extension of those attacks, and does not pose any greater risk (it's actually less effective than some other methods, such as the double-extension-with-spaces filename trick). Usenet is a specialized service on the Internet, and tends to cater to long-time users who are wary of these things. The majority of your Internet users today probably don't even know how to utilize Usenet groups - making the total risk even smaller. A larger risk might be JPEG files found on P2P networks.
In other news, SANS Internet Security Center reports that there is now GDI Scan Tutorial which also shows show how to interpret the results of the scan