JPEG Virus

Leonardo Helman mailscanner at LISTS.COM.AR
Tue Sep 28 15:59:05 IST 2004


Copy&paste from clamav site:

 ClamAV JPEG Exploit (MS04-028) Detection
    nervoso - 2004-09-28 06:30   -   Clam AntiVirus
ClamAV 0.80rc3 successfuly detects JPEG files with modified comment section that allows attackers to remotely execute arbitrary code on unpatched Windows machines.


I was running the stable version, 0.75-1, but it didn't catch this.
I didn't have trouble with the upgrade (from sources), the rpm
isn't there yet.



On Tue, Sep 28, 2004 at 10:10:35AM -0400, Jeff A. Earickson wrote:
> I went to the web site, downloaded the virus they had posted, and
> fed it to both Sophos and Clam (08.80rc3).  Both detected it, as:
>
> === Checking virus-jpeg.zip with Sophos sweep
> >>>Virus 'Exp/MS04-028' found in file virus-jpeg.zip/possibleVirus.jpg
>
> === Checking virus-jpeg.zip with ClamAV clamscan
> Scanning virus-jpeg.zip
> virus-jpeg.zip: Exploit.JPEG.Comment FOUND
>
> So at least the anti-virus people are not snoozing...
>
> Jeff Earickson
> Colby College
>
> On Tue, 28 Sep 2004, Spicer, Kevin wrote:
>
> >Date: Tue, 28 Sep 2004 09:35:36 +0100
> >From: "Spicer, Kevin" <Kevin.Spicer at BMRB.CO.UK>
> >Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: JPEG Virus
> >
> >Looks like the first jpeg virus has hit.  Theres a discussion going on
> >on Slashdot right now.  Easynews found it in a couple of usenet posts.
> >See here for their analysis....
> >http://www.easynews.com/virus.html
> >
> >
> >
> >BMRB International
> >http://www.bmrb.co.uk
> >+44 (0)20 8566 5000
> >_________________________________________________________________
> >This message (and any attachment) is intended only for the
> >recipient and may contain confidential and/or privileged
> >material.  If you have received this in error, please contact the
> >sender and delete this message immediately.  Disclosure, copying
> >or other action taken in respect of this email or in
> >reliance on it is prohibited.  BMRB International Limited
> >accepts no liability in relation to any personal emails, or
> >content of any email which does not directly relate to our
> >business.
> >
> >
> >
> >------------------------ MailScanner list ------------------------
> >To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> >'leave mailscanner' in the body of the email.
> >Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> >the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).



More information about the MailScanner mailing list