Last night I accidently mispelt a website I wanted to goto and got stuck in a redirect to a search engine page. while this was happening Norton popped up saying that one of the gif files that IE was dowloading to display the webpage had a virus. I went and checked it out their site and it was something to do with that file changing your home page. I scanned my system after doing a live update, but it didnt find anything. Anyone else ever run into this?
Announcement
Collapse
No announcement yet.
Virus from a .GIF file?
Collapse
X
-
I haven't run into that but I read an article the other day which talks about viruses being spread by JPEG files. The JPEG viruses need a separate launcher.<TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>
-
GT,
Are you sure that it wasn't something like .gif.vbs or .gif.js?
-[Ch]ams
From McAfee Avert FAqs:
11. Can JPG, GIF, etc be infected?
When these files are internally the JPG or GIF files for example, these are specific types of data files, and have no executable code or macros in them. They cannot be infected with viruses. However, worms and trojans will sometimes make it appear as though their files are harmless data files by adding an extension such as JPG before its true extension. Or else, once a trojan or worm has been run, they will change the file associates for common data-file extensions to run its own executable code. However, the file internally will be executable code rather than data as in a true JPG or GIF file.
-[Ch]ams
Comment
-
Originally posted by [Ch]amsalot
... When these files are internally the JPG or GIF files for example, these are specific types of data files, and have no executable code or macros in them. ...<TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>
Comment
-
I remember reading about this as well. Somebody actually found a hole in the jpeg processing libraries, but I don't know if it amounted to anything more than a buffer overflow.Gigabyte P35-DS3L with a Q6600, 2GB Kingston HyperX (after *3* bad pairs of Crucial Ballistix 1066), Galaxy 8800GT 512MB, SB X-Fi, some drives, and a Dell 2005fpw. Running WinXP.
Comment
-
I searched for where I saw the article when I originally replied but I couldn't locate the article. I think it was in a Bay Area paper in the last few weeks.<TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>
Comment
-
*ahem*
In my experience, news papers and programs on TV are less well informed than the average schmuck. In other words, it's a hoax. TRUST me on this one.
- GurmThe Internet - where men are men, women are men, and teenage girls are FBI agents!
I'm the least you could do
If only life were as easy as you
I'm the least you could do, oh yeah
If only life were as easy as you
I would still get screwed
Comment
-
Its certainly possible to imbed code as data in a JPEG file. Look at the use of digital watermarks and the fed's concern over covert communications embedded in digital pictures. Why wouldn't a virus writer develop a way to exploit this capability?<TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>
Comment
-
Ya know. My cousin said to start wearin rubber gloves when smurfing for prOn on the internet . She was right!
Dang now people are ketchin viruses and stuff from those pictures
djMy Packurd bell 166Megahurtz runnin at 233 on a ABIT ITH5 muther board,
128MB EDO ECC RAM and a hole bunch of other cool stuff.
Comment
-
Originally posted by Gurm
... In other words, it's a hoax. TRUST me on this one.
A simple Google search pulled up the article as the first hit. Here it is.
W32/Perrun description on Network Associate siteMethod Of Infection
The virus arrives in the form of a 11,780 byte PE file. When run on the victim machine, the 5,636 byte extractor component (EXTRK.EXE) is dropped (to the current directory). Both files are written in Visual Basic 6, and packed with UPX. The following Registry key is modified in order that JPEG file execution is hooked:
HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1
Subsequently, when JPEG files are executed, the extractor component checks if the file is infected. If so, the virus body is extracted and executed. Only JPEGs in the current directory are infected, and only one file is infected per cycle. The extractor then attempts to display the JPEG using a system DLL.
The .b variant uses the filename TEXTRK.EXE for the extractor component and the registry key modified is:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1Last edited by xortam; 26 June 2002, 15:27.<TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>
Comment
-
The way I understand this, the real virus about that is the extractor, and opening the JPGs on an uninfected machine wouldn't do anything? If so, this isn't really new... If not, it's scary
AZ
Comment
-
Its a multi-component virus which requires both the extractor and the infected JPEG file to do its nasty deed.<TABLE BGCOLOR=Red><TR><TD><Font-weight="+1"><font COLOR=Black>The world just changed, Sep. 11, 2001</font></Font-weight></TR></TD></TABLE>
Comment
Comment