Hi All,
Avast just found and moved to the virus chest a virus called ‘JPG:MS04-028 [Expl]’
I have sent it over to their lab for research. My question was…should I just leave it in the chest? Will it harm my computer if it stays there? Would deleting it be effective?
Please let me know.
Thanks
CJay

Hello and Welcome chetanjoshi,

The file is in the chest so it is safe as it cannot be activated or do anything from there

Usually the recommended option is to leave it in the chest for about a week and re-scan it. If it still shows up as being a virus and the file is not important to the running of the computer then it can be deleted

Thanks a lot SPG Scott…I will do as you say. Thanks again.

Also does anyone know anything about this particular virus?

It is an exploit using doctored jpg image files, more than that I not to familiar with, but my friend google is, http://www.google.co.uk/search?q=jpg+exploit.

As for how long to leave a file in the chest, there really is no rush and a week is probably too short, two, three or more isn’t an issue as it can do no harm in the chest. Scan again from within the chest and if still detected then delete from the chest.

well how about that, you learn something everyday, I thought a week would be enough, its always good to find out something that I can use later on, thanks DavidR

It give a little longer for any changes in the VPS signatures that might have an impact on the file in the chest, if for instance it was detected by a generic signature like win32:trojan-gen (not the case here but it doesn’t hurt to hold in the chest for longer).

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So it is possible to get a false positive detection, which you could then restore the file to its original location, so it is best not to delete in haste, repent in leisure.

Hey, I recently Unistalled McAFee, b/c i was not happy with how it was operating my system, I currently have Windows Vista Home Premium, And I installed your free version of Avast Home edition 4.8, and scanned my computer, all folders including the archived ones, also my entire system, and all my files were fine, so i closed the avast interface and, went to look at my family pictures in Windows Photo Gallery, and avast quickly alarmed me that there was Malware multiple JPEG Files, (the name of the virus is called JPG:MS04-028 [Expl]. Please let me know what to do, Avast told me to move to my virus chest, so I did, but right after the one file was found, many multiples were also detected of the same infection. I was gonna delete, but figured to ask you guys first. And also if i delete the files in the chest that are infected, does that permanently wipe out the file and the virus? Is this a false positive, is your antivirus program working correctly, are my settings wrong …please Help…thank you.

Not false positive. It’s a JPEG vulnerability.

http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx

Whilst the vulnerability is there in .jpg files, they have to have been infected at some point.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them (that is permanent, gone/history/kaput/gone to the digital bit bucket.

The detection may well be correct, but you can check out a couple of the files to confirm the detections.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

thank you, But i just tried to look at my photos in windows photo gallery, and your avast antivirus alarmed me again of the malware JPG:MS04-028 [Expl] as a virus, should i just delete it and wipe it out of the chest, i cant look at my photos, without this happening please help, and thank you. also what phone number can i reach your customer service at, because the number u have on your site, does not work, its always busy. Also is that Malware type JPG:MS04-028 [Expl] something serious enough to delete out of the chest, because everytime i try to view my photos in windows photo gallery, it keeps alarming me with that type of window, and says to move to chest, after pressing that button on the alert window, it keeps detecting the same virus JPG:MS04-028 [Expl]??? please help me, i think it would be best to delete this…what do you think…thanks again for you quick response. look forward to hearing from you.

I suggest:

1. Disable System Restore and re-enable after step 3.
2. Clean your Temporary Files.
3. Schedule a boot time scan with archive scanning turned on. If avast! doesn’t detect it, you can try Dr. Web CureIt instead.
4. Use SuperAntiSpyware Free, MBAM, or SpywareTerminator to scan for spyware or trojans. If any infection is found, is best to quarantine than delete. (Note: If you use ST, uncheck toolbar, Crawler, and ClamAV module at installation)
5. Test your machine with anti-rootkit applications. I suggest F-Secure Blacklight or Trend Micro Rootkit Buster.
6. Make a HiJackThis log to post here.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

My suggestion was to test files already detected that were in the chest, and to first create a folder that you exclude from avast scans, so that you can access then and upload them to virustotal without avast going nuts. So please read the instructions again.

I also said there is no rush to delete anything and nothing has changed.

It isn’t my site, I’m just and avast user like yourself.

Again ‘DON’T DELETE ANYTHING’ (before a full investigation and there is nothing else that can be done) that is final and what ever you delete you have lost for good.

For now stop viewing your photos, it could be that a piece of malware has infected all your .jpg photos. But we need to first confirm that the original detections are good by uploading some samples to virustotal as per my previous instructions. If it is confirmed that the samples (already detected and in the chest) are good detections, which suspect it will we can try and see if there is a way to clean those infected .jpg files.

Whilst this could be serious you have to take a deep breath and take things slowly or you could loose all your .jpg files.

If the avast detections are confirmed at virustotal, then your only option is to attempt to repair the infected files. This is not a shortcut to bypass all the other things we have suggested but a last resort so don’t go jumping the gun.

I have been doing some digging to see if there is a tool to repair these infected .jpg files and there does appear to be one, usual disclaimer I have no idea of the effectiveness of the is program or if it might damage the images in the repair function. I just know the the company that designed it, DiamondCS of Austrailia, is a reputable company, read the full information on the link below before making your decision to proceed.

DiamondCS JPEGScan is a free, small, fast and easy-to-use scanner that has detection and repair capabilities for JPEG files infected with the MS04-028 exploit - http://www.softpedia.com/get/Antivirus/JPEGScan.shtml

Now the whole thing about this jpeg exploit is that your system effectively has to be vulnerable (out of date, unpatched) for the exploit to work.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.