Easynews has caught the first case of a jpeg virus in the wild. You can read about it here. It's nasty, downloading some remote access tools, running them as a service, and connecting you to an IRC channel.

There's more about it on slashdot.

Guess this is just a reminder to be wary of jpeg's now as well and to keep your anti-virus software up to date (AVG for free virus checker)

The first jpeg to contain the virus was a image posted to a transexual image group, the second was to hetro porn groups.

There was another article earlier in the day on slashdot claiming the Microsoft scanning tool isn't up to scratch, as it only checks for Microsoft supplied problem files, not any files with the bug that may have been put there by 3rd party software. The tool mentioned in that article as more complete than the Microsoft one is this one, GDIScan

If the scan shows you have vulnerable files, it means you haven't patched for MS04-028 (or you have but have since installed software that overwrote it?). So go install MS04-028. promoted forum item

GAWD DAMN

How do you re-rerun the tool that checks for vulnerable software?

trog,

since you news'd it, i added the final paragraph about the scanner and fixed up a typo.

trog use the mbsa tool.

microsoft basle security alalyser.

ok... i scaned and found i have vulnerable versions...

wtf do i do now??

Get the MS04-028 security fix. i'll include link in original post

the Microsoft Security Bulletin MS04-028 doesnt have a patch for WinXp pro SP2..

I don't think XP SP2 is vulnerable

edit: props to natslovr for the comprehensive edit

last edited by trog at 15:39:11 28/Sep/04

there were a few dll's that are but turns out they belong to office

Yeh, I get a few DLLs reported belonging to office (by that non-MS tool), which is sad because OfficeUpdate supposedly fixed me the other day).

I've been confused by everything about this 'fix', MS seem to have handled it completely lamely. I can see lots of pwned computers in the very near future.

The tool i linked to found quite a few things on one of my boxes, which i thought i'd ms04-028'd to do with Visual Studio and Beta versions of MS Server software. Also, stuff in the uninstall area.

Well, that tool still reports active DLLs in my windows install that look like office files. I have Works 2000 installed. OfficeUpdate supposedly brought me up to date, but not according to this GDI tool!

Edit: oh, actually, I just RTFMed and now know vulnerable DLLs show in red. What a newb I am.

last edited by trog at 16:09:03 28/Sep/04

well it says i have them in dreamweaver...

so i'm f***ed i guess

didnt these patches come out a few weeks ago?

This vulnerabitiy is an absolute pain in arse. Basically any 3rd party apps that parse the JPEG file will in someway be vulnerable.

If not handled properly it's going cause mayhem. I'm having a pretty hard time trying to find all the patches for some of the DLLs that GDIscan has found to be vulnerable.

For example:

C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL

I've patched my system with the MS patch etc but I have no idea what/which app uses this DLL :( Tried google without much luck...

NOT HAPPY JAN.

So according to the MS page as long as you have XP SP2 windows itself is no longer vulnerable? ie. Opening the jpg in windows explorer wont execute the vrus?

So according to the MS page as long as you have XP SP2 windows itself is no longer vulnerable? ie. Opening the jpg in windows explorer wont execute the vrus?

Yes if you patched your Windows, any "MS" Windows related software the relies on the JPEG parser is not vulnerable. However, unpatched 3rd party software that rely on thier on JPEG parser might still be. That's why this suck so bad :(

last edited by Opec at 18:00:35 28/Sep/04

but doesn't that mean that because windows itself is patched, the third party software woulnd't be able to "do anything" about it?
sorry if this is too much of a noob question.

No because different apps use their own different gdi blah. Something like that.

The way I understand it is, Microsoft released a library of graphics functions that they distributed, I assume as a DLL. Other software writers used this DLL when distributing their software, so by default, that DLL is vulnerable to this exploit.

From what the open letter said, the library people are distributing isn't freely distributable, i.e. you had to have permission to distribute it with your application, so microsoft KNOW which applications were licensed to distribute it, and they should just release a list of applications so that we can see if we are affected and go and harass the application distributor about a patch.

I found 1 vulnerable dll in a program's folder, installed only the other day. Windows / Office update seems to have done the business on the rest of it.

I just deleted the offending dll, and it seemed to my non programmer mind that the program ran fine - I'm assuming it just hooked the safe version of the DLL from the system32 directory?

great, another bulls*** waste of time cause some fat nerd cant get laid.

I just re-installed symantec virus maker again and then tried to download the dirty viral jpg in question. Uni licenses are cool.
http://www.q.ausanime.com/upload-files/sav.jpg

Picked it up right away and deleted it before it could even finish.

GG DOCTOR
http://www.q.ausanime.com/upload-files/Norton-jpb.jpg

natslovR:

gdiplus.dll is freely downloadable from here.

The library interface for it comes with the freely downloadable Platform SDK.

madmax... u rock... who would have thought there was so much brains on this forum