Can a virus infect an image file format?

Okay, maybe this is a stupid question, but I have to ask.
Avast has detected the Win32:Aris virus in 3 of my files. all of them are TIFF (.tif extension)images that I created with photoshop. The files can be opened with PS no problem.

Is it safe to assume that Avast reporting a false positive here?

Wait for user Vlk to answer this. He may want a copy of your files to double check. He’s on the Avast Staff and a moderator on this board.

Interesting question, really.

Some more Q’s:

  1. What are the names of the viruses?
  2. What sensitivity did you use for the scan? Thorough?
  3. Are the files huge? Could you send them for analysis? virus@avast.com

Thanks
Vlk

I have mailed avast with this question before,…they said a jpg itself cannot be infected,…but a script and/or trojan horse/worm virus can be attached to it,…so it seems harmless at first,…

The link i sended: http://www.museen.org/janina.jpg

DO NOT CLICK THE LINK :smiley: - if you open this with IE it does something to your Windows Media Player,…opening this with mozilla firebird gives you the pop up that the file is corrupted,…

Slightly O/T, since djcross originally posted about TIFF’s, but …

Interesting, John. I was certain I’d seen, maybe a couple of years ago in some computer magazine or another, similar news out of CERT (I think that’s the right org. - “official” computer security?) that they’d made an interesting and potentially serious discovery in their labs.

They’d found that viruses and/or worms could be “piggybacked” onto JPG’s, which of course most a-v scanners will just ignore. My son told me I was crazy, since JPG’s essentially just a compression format, but I’m inclined to think the guys at CERT know a little more about such things than he does. :wink:

They did say, though, that they had no reason to believe it had ever been done except in their own labs.

Best,
Mike

In all three files it’s the same virus: Win32:Aris

2. What sensitivity did you use for the scan? Thorough?
Yes - Thorough
3. Are the files huge? Could you send them for analysis? virus@avast.com
The files are fairly large, between 30 and 60 MB each. I can send you the smallest one, as long as you don't mind such a large email attachment. I could also make it available via FTP. I could probably reduce the file size significantly if I compress it, but I don't know if that might potentially be a problem (given that they are reportedly 'infected'). Please advise.

I’m interested to know that it might actually be possible for a virus to exist within an image format. However - if this is the case I wonder where the virus might have originated. I created these files based on source files from a client, but a thorough scan of my system didn’t identify any other infected files (including the source of these images).

The files are fairly large, between 30 and 60 MB each. I can send you the smallest one, as long as you don't mind such a large email attachment. I could also make it available via FTP. I could probably reduce the file size significantly if I compress it, but I don't know if that might potentially be a problem (given that they are reportedly 'infected').

OK, TIFFs are known to compress very well. Please ZIP one of the files and put it on your FTP server. Then send its URL to the virus labs - virus@avast.com, putting a link to this thread in the message body.

I'm interested to know that it might actually be possible for a virus to exist within an image format. However - if this is the case I wonder where the virus might have originated. I created these files based on source files from a client, but a thorough scan of my system didn't identify any other infected files (including the source of these images).

By definition, a virus is a piece of code (either directly machine code or some kind of pseudocode). Therefore it cannot be contained in files such as plain text, plain graphics bit etc., provided these are not further interpreted as code by some application (e.g. batch files or vbs scripts in case of plain text).

It’s generally impossible for the AV to a priori know if a given file is going to be interpreted as code or not. Therefore, the only thing that remains is to treat all files (especially when scanning with the highest sensitivity) as possibly code-containing.

Many today’s formats (e.g. Office files [Word Excel etc], mail files, etc.) are also able to contain embedded objects - files of other types than themselves. It is a virtue of any AV to be able to detect those.

Specifically, I’m not sure about TIFFs. I’ve the impression that these files are really plain image-bits only, but let’s wait for the virus guys to find out more.

Vlk

TIFFs are known to compress well?
Well, TIFF is a kind of format similar to AVI, or even worse - in the sense that it can contain almost anything - compressed data (lossy/lossless), uncompressed data, many possible formats… I’m not sure if any software supports all the extensions that a TIFF may have (In fact, GIF is another one of these).

OK, I was refering to the ‘classic’ 30+ MB TIFFs…

TIFF’s (Tagged Image File Format) are mainly used in the printing industry (CMYK, pantone,Truematch,…)because it has no dataloss if you save it,…even if you use the LZW compression. TIFF also has the ability of saving layers (when working with Photoshop).

This format is not build for internet purpose,…
GIF, JPEG, PNG are the most advisable extentions concerning images.

GIF => color table of 256 (0-255) colors + able to add animation, transparency,…
JPEG => save with a compression level: miljons off colors are embedded even if the image only contains 3 colors,…
PNG => combination off GIF and JPG,…but not really popular,…cause older browsers do not really support this format. (IE4)

maybe a bit off topic,… :slight_smile: but maybe some of you appreciate it :smiley: