jpeg "infection"

I think I got a jpeg "infection". I understand that's improbable, and at http://antivirus.about.com/od/virusdescriptions/a/perrun.htm I read that the way it could work, is an already infected machine would extract viral code from the jpeg.

But it all started with some jpegs in the body of an email (I opened with Eudora [the no-longer supported 7.1.0.9]). Eudora ground to a halt. Even after I restored a backup image of the OS, if I put the "infected" Eudora back in and ran it, Eudora was still hosed even though I never opened that message again.

So I've abandoned hope of (and much interest in) saving the 12 hours of emails I got/sent since the restored backup. And I've implemented the (few) precautions (I hadn't already taken) at http://antivirus.about.com/library/bleudora.htm

I'm wondering what else I should do to keep this from recurring. For now I've asked the Sender (my sister, via Apple Mail) to please not send me images in email body text.

The value in HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command
(mentioned on http://antivirus.about.com/od/virusdescriptions/a/perrun.htm )
is identical on all 3 of my (Windows XP Pro xp3, fully patched) computers: rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1
That file shimgvw.dll also has the same Modified Date (4/14/2008 6:42am) on all three machines.
I wondered if an SFC /scannow would make sure that file was good, but the c:/I386 folder I copied from my Windows install CD doesn't have that dll in it.

All three machines continue to scan clean with current definitions for:
NOD32 4.0.314.0
Spyware Doctor
Spybot
Malwarebytes' Antimalware
Ad-Aware Free
SpywareBlaster

Thank you in advance!!

 

I'm not one of the real experts here but i'd suggest:

-if possible, setup Eudora to download and display emails as text only
(like i did in Outlook 2007)
- install behaviour based scanner like e.g. Threatfire

 

To my recollection, that proof of concept was at no time exploited in the wild and the vulnerability was patched long ago. My best guess would be the image size is your culprit. Jpegs from todays digital cameras can be quite large for older programs.

 

thank you for you reply, Argonite. But your "image size" theory is even more improbable than mine.

My email program had handled display of much larger images in the past. And my email program continues to appear badly corrupted (very very slow, and soon freezing) even though I've never opened that email again, and even after restoring a good backup image of my system drive, into which I restore my allegedly infected email program.

It seems odd that the email program would be so totally and permanently hosed by image sizes it easily handled before.

 

good idea, gambla, I have done that now.

oh, I thought NOD32 had behavior-based protection...would adding Threatfire really be a good idea?