Security threats Toolkit

JPEG worm found on Instant Messenger

Tags:
F-Secure,
SANs,
Microsoft,
Jpeg

Dan Ilet ZDNet.co.uk

Published: 30 Sep 2004 17:45 BST

A worm that exploits the recently discovered JPEG vulnerability has been discovered spreading over AOL's Instant Messenger (IM).

Experts at the SysAdmin Audit Network Security (SANS) Institute said that the worm is still in its infancy as it has only received two reports of infection.

"It's been done in the past, but with HTML code instead of the JPEG," said Johannes Ullrich, CTO for SANS' Internet Storm Center, the organisation's online security research unit. "It is a virus, but it didn’t spread very far. We've only had two reports of it."

According to the ISC, the victims read IM messages that directed them to Web sites that hosted the dangerous JPEG images.

The instant messages read: "Check out my profile, click GET INFO!" When visited, the Web site automatically sends malicious code embedded in the JPEG image to the computer, said Ullrich. Once infected with the code, the computer sends the same message to other contacts in the instant messenger list.

The code also installs a Trojan back door that can give hackers remote control over the infected computer. Antivirus expert Mikko Hypponen of F-Secure yesterday warned that the JPEG exploit can also dodge antivirus technology. By default, antivirus software only scans for .exe files. And even if users change the settings on antivirus software, the JPEG file extensions can be manipulated to avoid detection.

"We haven't seen any damage reports of this worm," added Hypponen today. "I've seen some discussion, but our best estimate is that it hasn't got very far."

Microsoft issued a patch for the vulnerability on 14 September, but was unavailable to comment on the worm.

Next week, Microsoft is launching a beta version of its instant messaging product, MSN Messenger. The product will not be available for in the public domain until it has been piloted by a small group of users, the company said.