You are not yet protecting against this virus, i have scanned it with your latest updates to no avail FYI
JD
You are not yet protecting against this virus, i have scanned it with your latest updates to no avail FYI
JD
I should have also said this is the new JPEG virus
JD
Hi,
then please submit the file to
virus (at) avast.com
thx…
I have sent the zipped virus to that address
JD
There’s no such thing as “Exploit.Win32.MS04-028.gen virus”.
To date, there’s no “jpeg” virus. Jpegs are indeed exploitable but avast won’t be “catching” any of them as far as they’re not misused by some malware. And in that case, we’ll be catching the malware, not the exploit.
I received this info today…
"FWIW, the first live sample of a JPEG buffer-overrun virus has been released.
See the following for details:
http://www.easynews.com/virus.txt
Call it what you like but i wouldn’t want it on my PC’s, and kaspersky is detecting it as
"There was a SMTP communication problem with the recipient’s email server. Please contact your system administrator.
<xxxxxxxxx #5.5.0 smtp;554 Sorry, message is infected with Exploit.Win32.MS04-028.gen virus> "
JD
uhuuuhh… ?
Please correct me, Vlk, but iiuc, a specially prepared Jpeg IS in fact the malware:
if it’s opened with an unpatched Version of the affected MS-components → Buffer overflow → arbitrary code can be run under priviliges of the logged-in user…
I gathered that the dangerous Code resides in the JPEG itself… ?
or does it need to call on another file ?
Still, I’d consider that MALICIOUS…
So why should avast not detect it… ?
→
Here
http://www.bsi.de/av/texte/schwachstelle-jpeg.htm
at the bottom of the page you’ll find a TEST-file for this; results with Jotti:
AntiVir
TR/Exploit.MS04-28 (1.22 seconds taken)
Avast
No viruses found (4.55 seconds taken)
BitDefender
Exploit.Win32.MS04-028.Gen (2.63 seconds taken)
ClamAV
No viruses found (5.99 seconds taken)
Dr.Web
Exploit.MS04-028 (4.49 seconds taken)
F-Prot Antivirus
No viruses found (0.58 seconds taken)
Kaspersky Anti-Virus
Exploit.Win32.MS04-028.gen (8.72 seconds taken)
mks_vir
No viruses found (2.70 seconds taken)
NOD32
Win32/Exploit.MS04-028 (4.57 seconds taken)
???
Avast will detect the malware not the exploitThis is true. In simple words: The malware is using a bug (exploit) in Windows. Avast is not checking/scanning windows for bugs ;) Things that go in the vps are signatures of malware. That can normally only be done when Alwil gets their hands on the complete malware. As soon as they have that, I'm sure they will add it to the vps.
Hope this clears this little confusion.
There appears to be a nasty JPEG virus floating around on usenet… details have been posted here
http://www.easynews.com/virus.html
I would think alwil/avast would update their virus def’s as the rest of the pack have done so already, and for quiote a few days…
It doesn’t take a brain surgain to detect this one, plenty of examples availabkle on the net, by looking at the JPEG picture headers for certain byte paterns…
Please, Avast, update your virus def’s to detect this monster as if more and more versions get spawned, gawd knows how nasty this could get…
The current JPEG virus payload found on usenet goes and downloads quite sizeable chunk of files to an infected pc, instals radmin etc… so it’s kinda detectable, plus it connects to the same ip…
just letting you guys know… and hoping that you update your def’s very very soon before this ones gets out of hand.
42 over and out
On september 14, Microsoft has released a security update/patch that closes this gab. url=http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx[/url] So if you get infected with it, don’t blame it on Avast not detecting it, but on yourself for not keeping your system up-to-date.
Again !! Visit Windows Update at least once a week and get/install ALL security patches/updates. On the windows update site is also a link to ms-office updates. If you have ms-office installed, visit that one also on a regular base.
I’m sure Alwil will put this one also in their vps. But they get so many new things on a daily base, that there has to be a shifting between them. Very harmfull malware and real security threads will be added first, than the rest will be added. Since there is a patch that will prevent the buffer overrun from this jpeg infection, I can imagin that this will not be priority nr 1 for Alwil to add to the vps.
Totally correct Eddy,
Lets deal with the disease and not the symptoms, get you systems checked/patched, then you don’t have to worry about viruses taking advantage of the exploit.
Prevention is much less painful than the cure.
then… how come that many of the other anti-virus vendors have updated their virus def’s to include this exploit… ? This explot is so easy to spot, a certain 4 byte pattern in the jpg header is all it takes.
If you want to see the many files on your system that have potential gdi+ problems (not only MS), go to http://isc.sans.org/gdiscan.php and run their free gdiscan utility… you will be enlightened as to the results, there are litrerally tens of dll’s floating around with this potential problem just waiting to be executed, complicated by windows having many versions of gdiplus.dll hiding in odd places.
I’m not harping on at avast (their products are excellent), just surprised that it’s taken them so long and still no update to their vps.
If this is not a real security threat, you tell me what is… the ability for a nasty user to email or tell someone to view a JPG from the web/usenet, which in turn gets viewed and exploits a hole and allows injection of whatever code it wants… ???
if you consequently follow this line of thought, then
If this is not a real security threat, you tell me what isAs I said before, the real threat is users who do not keep their system(s) up-to-date.
just surprised that it's taken them so long and still no update to their vps.I've send Alwil 2 (old) viruses. 6 vps versions later they are not added (yet!) Why? That is easy to answer. Alwil knows where to put priority!!! The ones I send them are not in the ITW list, they are old, they are not rapidly spreading (almost no spreading at all anymore) and they are not very harmfull.
Sure, Alwil can hire 150 extra people (or whatever it takes) just to add everything that is supmitted/discovered in the vps within 1 hour. But who is gonna pay that? You? I don’t think so. And trust me. I know a lot of malware that other AV-applications don’t detect and that Avast does detect.
Let’s stop this all right here and now. Let us just be happy and say positive things about all those people/organisations/companies that are doing their best to help us computer users. MS releasing their security patches, Avast for scanning our systems, Zonelabs, Kerio and others for blocking our ports etc etc. Don’t forget that it is the user that responsible for over 90% of all infected systems.
Hello,
The GDI+ jpeg exploiting virus is in the wild!
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0368.html
If it is ITW then there is only one place to look and that is HERE (The official ITW list)
There is now a GDI+ jpeg exploiting virus in the wild. It was posted on Mon, 27 Sep 2004 01:25:52 GMT via NNTP to multiple news groups by a single person.Note that is was just one person who posted that it was ITW and that person was not someone who maintains the ITW list.
OK, avast is now detecting the exploit (with the last VPS update, 0440-2).
Thanks
Vlk
I knew Alwil wouldn’t let us down ;D ;D ;D
Thanks vlk!
That’s very fine, that avast! detects the exploit.
Do we have to add the file-extension “.jpg” an “.jpeg” manually in the on-access-scanner, because I haven’t found these two in the list of “default” extensions?
Maybe this will answer your question.
Interesting article.