Jpeg is really a VIRUS!! 1

[uplater]

Hi All,
I know that this is prob not the right place to ask this question but I’m hoping someone here will be able to help.

I’ve been looking for some info everywhere starting with the Windows XP Bible (desktop ed) which I have and think is great, then on the net,

(Google searches, forum searches, random word searches etc.) and cannot find the answer I’m looking for,

so you really are my last resort.......so no pressure there or anything

Right the problem is this;

I have a peer to peer file sharing programme on my pc. I get attacked by all the usual virus’s, Trojans, key-loggers add ware etc, most times I use it, but as I have Norton firewall and virus protection these prove to be more of a minor nuisance than genuine threat so I continue unabated.

About one month ago I downloaded a jpeg, the file name was 2 kittens with bows, I thought my gf would enjoy it, however when I tried to open it the file name came up as 2 kittens with bows as well as a huge list of other words like porn, sex, wild, young things..., you get the picture I’m sure, also nothing came up in the viewer window other that the “couldn’t load file” message?

Fair enough I thought, and moved it into the trash only to see it spring straight back to where it had been in the shared folder?

I right clicked the mouse to delete it from there but only a limited menu came up, the items were preview, move and edit; the move only moved a shortcut and the edit done nothing at all? (the same thing happened with keyboard shortcuts).

I tried to remove it by using Norton wipe info but this did not recognise it as a file, I found a shareware programme called Unlocker which works brilliantly with any other programme or file on my pc but does not seem to see this corrupted jpeg file.

In frustration I deleted the whole file (including the folder called shared files) then replaced the folder in the same place on the c: drive and never really gave it too much more thought.

Then the other night whilst downloading a jpeg of laurel and hardy the same thing happened. I deleted the shared folder again and that was that, however, I have started to worry that even though I have deleted the folder the file inside may still be active as it is actually still intact within the deleted folder and could be working as a virus or Trojan, data miner, key-logger or something else that I am not even aware of?

If you could offer any help or advice I’d be very grateful, even if you reply and say that you’ve never encountered anything like this before and that you’ve not got a clue how to help I’d still appreciate the input and then I’d know that I need to look elsewhere.

Ps, the MS windows home sites are worse than useless, so don’t look towards them for info or advice unless of course you know something I don’t??

Also, I think this is important but don’t know why, when I thought about the file being a jpeg I thought I could edit/destroy it with photoshop but the rouge file closes photoshop down instantly, the second you put the cursor over the corrupted file name photoshop just shuts down!

Thanks All

Uplater.

 

[uplater]

Sorry, for writing such along message only to forget to mention that I have managed to find out that the jpeg is seen by my PC as a “system folder” hope this helps.

uplater.

 

[vacunita]

Some time ago there was a discovery of a virus that traveled through images. particularly Jpegs. I haven't encountered any but these pages have a bit of info on the subject.

http://www.sophos.com/pressoffice/news/articles/2002/06/va_perrun.htm

http://www.lurhq.com/jpegvirus.html

http://www.internetnews.com/dev-news/article.php/1365871

In any case when deleting files you are sure you don't want any more I suggest using the Shift+Del keys. This way it doesn't go to the recycle bin, but gets deleted straight away.



----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[uplater]

Hi Vacunita,
Thank you for the very swift reply, unfortunately the sites you listed for me did not contain any info that would solve my particular problem I did write an email to Gretchen Hyman and the JupiterWeb management, so I’m hopeful that they will be able to help me. I’ll keep you posted either way,

Kindest Regards, Uplater.

 

[PalmTest]

Two things pop up in my mind.

1:
Get a copy of Knoppix (or any other LiveCD OS) and boot your PC with it. Connect to the appropriate harddisk and find the guilty JPEG file. Mount the harddisk in Read/Write mode and delete the file.

http://www.knopper.net/knoppix/index-en.html

2:
What do the virusscanners/Spyware scanners say about the JPEG file ?
Have you used (in no particular order) ?
Ewido

http://www.ewido.net

Ad-Aware

http://www.lavasoft.de/software/adaware/

Spybot-Search-And-Destroy

http://www.safer-networking.org/en/index.html

Windows Defender

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Windows Live OneCare

http://safety.live.com/site/en-GB/default.htm

Spy-Sweeper

http://www.webroot.com/uk/index.php

Spyware Doctor

http://www.pctools.com/nl/spyware-doctor/

SUPERantispyware

http://www.superantispyware.com/

SpywareBlaster

http://www.javacoolsoftware.com/spywareblaster.html

HTH

 

[Sympology]

This isn't a virus, this is a bug if file names are over a certain length.

It's a pain to remove, but, off the top of my head.

Easiest way,
remove all jpg. files from the folder.

Open a DOS prompt and navigate to the folder.

Now do a Del *.jpg

Should do the job.

Stu..

Only the truly stupid believe they know everything.
Stu.. 2004

 

[uplater]

Hi PalmTest,
Thank you for the reply/heads up on the knoppix disk, that’s an idea that quite appeals to me.

As far as the other antivirus, malware, ad aware etc, programs are concerned it’s as though they cannot see the file at all, or as they seem to see it as a system folder simply ignore it?

This goes for Hijack this, ad-aware Norton antivirus, aswclnr.exe Spyware doctor, - all useless, they see it okay, but don’t recognise the file type so cannot do anything with it?

Also, the right mouse menu is disabled so I can’t select/highlight it for a manual scan, so it really is a very sneaky little .........!

Incidentally, I never thought to mention the size of the files before but since I’ve been trying to get to the bottom of this I recovered the old deleted file, and it is listed as 189,298kb system folder and the other is 64,907 kb SF.

Thanks All.

 

[BadFrog]

I don't think Stu was referring to the, "size" of the file, but more to the, "length" of the filename. I seem to recall the same scenario he describes. Check it out and let us know the results.

"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy"
Albert Einstein

 

[uplater]

Hi StuReeves,
Sorry for the out of sequence reply, you posted while I was posting......

Anyhoo, dos cannot see these files at all, I can get to the folder no problem but it shows as empty.

I had actually also considered that someone had discovered a bug with the long file name and thought it would be fun to annoy people with it, but when photoshop shut down the instant I pointed to the file name I thought it must be something more sinister?

Only time(or someone far more clever than me)will tell I suppose?

Regs, Uplater.

 

[uplater]

Hi Badfrog,

Thanks for the input, I was posting at same time as you so we’re out of sync, but have a look at my last reply and see what you think?

At this stage I’m relatively sure this was no accident, as in a bug or corrupted faulty file, just too many thing against that being the case?

Regs, Uplater.

 

[BadFrog]

Ok a couple things then. Have you tried deleting the file in safe mode? There is also a handy utility for deleting files that don't want to be deleted. It is called Killbox.exe and can be found here:

http://www.atribune.org/downloads/KillBox.exe

Also might want to clear your restore point in case any buggers are hiding in there.

Lastly if your competent in the system registry try doing a search for the offending file and see what turns up.



"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy"
Albert Einstein

 

[uplater]

Hi BadFrog,

Yep, been through the registry with full file name, partials and single words, nothing-zip-nada.....cant find any references to the files at all.

I don’t really want to do a delete in safe mode as I’m not really sure that doing so would be any better than a straight forward delete of the folder in normal mode.

What I actually want to do is get into the file, find out what it is and destroy it for good.

Imagine opening a Jpeg with notepad deleting half the file then saving the rest, this would render that jpeg unreadable dead, gone forever, I would very much like to do this type of thing to the rogue file on my pc rather than simply deleting it intact onto another part of my hard drive.

This is why the knoppix idea from PalmTest interests me, as a possible resolution to the situation.

presumably a file deleted by linux would be unreadable to windows.

Regs, Uplater.

 

[Sympology]

Knew it was about somewhere:

thread96-1044878

My Old reply:
StuReeves (MIS) 17 Mar 05 12:33
"Can you drag and drop it on the recycle bin?
Can you in Explorer highlight the file, shift-Del ?
Can you in Explorer right-click on the file, Delete ?"

"Or, try using double quotes. e.g.:

C:> del "very long file name.ext" "
*******************************************

I've found some files that cannot be deleted either way, I belive it when they are over 256 characters long and is used on some dodgy typepeer to peer downloads, (hint involves britneynakedpokemon etc etc)
The only effective way I found is

do a dir
and if nothing has a similar begining try a
del filename*.* type command e.g

Thisisthelongfilenamthatgoesonandoneetcetc.exe

do a
del thisisthe*.*


Stu..



Only the truly stupid believe they know everything.
Stu.. 2004

A Bcastner Link:

http://support.microsoft.com/default.aspx?scid=320081

Only the truly stupid believe they know everything.
Stu.. 2004

 

[uplater]

Hi Stu,
you’re a good man, that *.* tip works no prob as far as delete is concerned,...however I could not edit it in dos (using Dos's own inbuilt editor) as dos tells me it cannot open the program and I’m getting increasingly paranoid the more I mess around with this seemingly invincible file!!!


So where exactly does the file go when dos deletes it? Is it still intact the way it would be if I had deleted it in windows (sent it to the recycle bin)?

What do you think worth worrying about?

Uplater.

 

[linney]

Have you come across this in your travels?

JPEGScan
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)

http://www.diamondcs.com.au/jpegscan/

It is a shame you couldn't catch the file and zip it up and post it to your security scanning type program's creators for them to analyze the file and therefor better handle it.

 

[uplater]

Hi Linney,

cheers, I downloaded JPEGScan this morning and tried to scan the files but no joy, it cannot “see” them either, although interestingly the scan with JPEGScan command does show up in the mouse right click menu?

Good idea about asking Symantec to help, thought of that myself and tried to compress it with WinRar, which recognises it ok, in fact it was WinRar that let me know that my pc was identifying the file as a System Folder, but it cannot do anything with it, everything I try it comes back with error reports,

“The System cannot find the path specified”
or
“no files to add to zip” etc,

back to square one, Ho-Hum....

Regs, Uplater.

 

[lhuegele]

I had a similuar problem with a file when I ran an FTP server in the past. Someone uploaded a file that caused me all the same greif you're going through.

The way I finally got rid of it was by using the 8+3 short name from a dos prompt! All Windows files still have this 8+3 short name, you just don't see it usually - but it's there.

I was able to delete the file using this name (finally) and it was gone for good.

You only need to know the first 6 characters of a file name in order to use the short 8+3 file name. For example, a file named this:
thisismylongassfilename.txt
the short 8+3 filename would be:
thisis~1.txt
and could be deleted with the dos command:
del thisis~1.*

Hope this helps.

 

[uplater]

Hi lhuegele,

Done as you suggested, and you were right the files went no prob!

I feel that as I deleted them from dos they will be “dead” as far as windows is concerned, so I won’t worry about them “lurking” on my hard drive.

I know there is no need to worry about such things (I hope) but I suppose that’s the whole point of them in the first place?

Anyhoo, thanks for that tip, my desktop is looking a lot better now that the plague ridden folder has been banished!!(LOL).

Regs, Uplater.

PS, a very big thank you to all of you that took the time to help, it’s very much appreciated.

Also, if anyone has any further info on how I could actually get into one of these files and dissect it then I assure you it would be gratefully received.

 

[PalmTest]

Hi Uplater,

Glad to hear the nasty file is gone.
Have you tried Knoppix to look into the file ?
You might even try an eCom LiveCD.

http://www.ecomstation.com/democd/

This upgrades you back (!?) to the marvelous world of OS/2.
You might even share the folder and let an Apple connect to it and inspect the file from the Apple.
(I don't know any LiveCD's running BeOS or NextStep otherwise I'd suggest them as well ;-))

 

[uplater]

Hi PalmTest,

Thanks for the input I really appreciate it.
Unfortunately I was having trouble getting the Knoppix disk to download properly and put it to the back of my mind, then ended up deleting the nasty file from dos.

I have now got Knoppix from bit torrent but don’t have the nasty file to look at anymore (DOH!).

I would like to say though, the Knoppix disk is a revelation, I’d always been interested in Linux/Unix but tended believed the propaganda against Linux, i.e. no good drivers available, can’t use USB, or up to date video cards Blah Blah Blah...nonsense, this disk/product is amazing and blows all of the lies and misinformation clean out of the water!

In actual fact since I downloaded it I have been looking around at the various operating systems available and have gotten hold of DesktopBSD,

http://www.desktopbsd.net/

and it is awesome as well.

It is totally free and works like a charm.
I also tried FreeBSD but did not have so much success with it so I would recommend that if you are going to try it, look at the DesktopBSD version first.

All the best in the New Year,
Uplater.