Most interesting case: Infection by "JPGs"

Hey guys!
Thanks for giving me some of your time!
I lately stumbled upon one weird thing, my USB got infected by a weird virus that multiplies by JPGs!
Avast doesn’t recognize it as a virus tho.
So, I would like to let it to expert to see it is it really dangerous or not.
PS:For clarification, these files are not real JPGs, open them with Notepad.
PS²:Always for clarification, the JPGs are just the source to something weird, they can’t infect without the Autorun file.
http://jmp.sh/YCxfVYQ

Free USB protection and cleaning MCShield http://www.mcshield.net (used by this forums malware removal team)

Scan of your files https://www.metascan-online.com/#!/results/file/a13ee4f0d2324f979b08996da374d146/extracted

Samples sendt avast lab :wink:

thanks for samples

I have a Windows XP machine (oracle VM) as memory 512 MB
avast not detected
I sent yesterday to date nothing

the LNK shortcuts when subjected to the virus total and changed its name to wscript.exe then was compressed into zip,and always this normal behavior in a removable media.

We not currently have file VBS and as usual,the infection parts of the image where you are folders with shortcuts have the following attributes

C:\WINDOWS\system32\wscript.exe /e:VBScript.Encode img.jpg

new to me

http://i.imgur.com/JuKsIiY.png

img.jpg Trojan.VBS.Agent.PU

https://www.virustotal.com/en/file/9cd998d2b75dd97b4a9475e79595e68c236ecc5d8c6818fc761643f8ff69a434/analysis/1450401392/

Photo0.jpg

https://www.virustotal.com/en/file/dce4667bb40f3bd57f80ad3131a14ec553dca0a30ca43511b5a7af0af32519d7/analysis/1450401498/

photos.jpg

https://www.virustotal.com/en/file/bdf363c6fb31563a6af8fc00cf8ff1fb012bcdd80b20677f28f3f2d2e3a2bd50/analysis/1450401569/

Administrateur.lnk

https://www.virustotal.com/en/file/8e6f85b68e90b1ac9b49955c3178fadb4fb1c067aa58255218f0415b38c0f90e/analysis/1450400164/

Nouveau.lnk

https://www.virustotal.com/en/file/bd59fe6221c9dc3af7040a6fd9f2e0df538a5dee67a6fabe17a342ac08ffae44/analysis/1450400389/

Nouveau Dossier.lnk

https://www.virustotal.com/en/file/145c2cc5f09799e227f8d81b33e5bbf8804533ea798a2c519b15e609aac5489b/analysis/1450400516/

I created detections for the files, and blocked the URL which it connected to (hxxp://bahaty.com/red/1.php)
Thanks for reporting it!

URL is blocked,confirmed the update VPS 191215-0
6 files now included

Photo0.jpg - VBS:Agent-BOJ [Trj]
photos.jpg - VBS:Agent-BOK [Trj]
img.jpg - VBS:Agent-BOL [Trj]
Administrateur.lnk -Other:PUP-gen[PUP]
Nouveau.lnk -Other:PUP-gen[PUP]
Nouveau Dossier.lnk -Other:PUP-gen[PUP]

autorun.inf is detected with Other:Malware-gen [Trj]

I confirmed the files will be detected reclassified in the new VPS:

Administrateur.lnk - LNK:Agent-H [Trj]
Nouveau.lnk - LNK:Agent-H [Trj]
Nouveau Dossier.lnk -LNK:Agent-H [Trj]

Confirmation that avast is detecting it :
https://www.virustotal.com/en/file/f9ee2c3b4d37c506099e827c0ba2d2e761cb81e403f96250c9e581b55fde8838/analysis/1457519579/