jpeg "infection"

Discussion in 'ESET NOD32 Antivirus' started by coyote2, Apr 7, 2010.

Thread Status:
Not open for further replies.
  1. coyote2

    coyote2 Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    24
    I think I got a jpeg "infection". I understand that's improbable, and at http://antivirus.about.com/od/virusdescriptions/a/perrun.htm I read that the way it could work, is an already infected machine would extract viral code from the jpeg.

    But it all started with some jpegs in the body of an email (I opened with Eudora [the no-longer supported 7.1.0.9]). Eudora ground to a halt. Even after I restored a backup image of the OS, if I put the "infected" Eudora back in and ran it, Eudora was still hosed even though I never opened that message again.

    So I've abandoned hope of (and much interest in) saving the 12 hours of emails I got/sent since the restored backup. And I've implemented the (few) precautions (I hadn't already taken) at http://antivirus.about.com/library/bleudora.htm

    I'm wondering what else I should do to keep this from recurring. For now I've asked the Sender (my sister, via Apple Mail) to please not send me images in email body text.

    The value in HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command
    (mentioned on http://antivirus.about.com/od/virusdescriptions/a/perrun.htm )
    is identical on all 3 of my (Windows XP Pro xp3, fully patched) computers: rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1
    That file shimgvw.dll also has the same Modified Date (4/14/2008 6:42am) on all three machines.
    I wondered if an SFC /scannow would make sure that file was good, but the c:/I386 folder I copied from my Windows install CD doesn't have that dll in it.

    All three machines continue to scan clean with current definitions for:
    NOD32 4.0.314.0
    Spyware Doctor
    Spybot
    Malwarebytes' Antimalware
    Ad-Aware Free
    SpywareBlaster

    Thank you in advance!!
     
  2. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    I'm not one of the real experts here but i'd suggest:

    -if possible, setup Eudora to download and display emails as text only
    (like i did in Outlook 2007)
    - install behaviour based scanner like e.g. Threatfire
     
  3. Argonite

    Argonite Registered Member

    Joined:
    Oct 20, 2008
    Posts:
    6
    To my recollection, that proof of concept was at no time exploited in the wild and the vulnerability was patched long ago. My best guess would be the image size is your culprit. Jpegs from todays digital cameras can be quite large for older programs.
     
  4. coyote2

    coyote2 Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    24
    thank you for you reply, Argonite. But your "image size" theory is even more improbable than mine.

    My email program had handled display of much larger images in the past. And my email program continues to appear badly corrupted (very very slow, and soon freezing) even though I've never opened that email again, and even after restoring a good backup image of my system drive, into which I restore my allegedly infected email program.

    It seems odd that the email program would be so totally and permanently hosed by image sizes it easily handled before.
     
  5. coyote2

    coyote2 Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    24
    good idea, gambla, I have done that now.
    oh, I thought NOD32 had behavior-based protection...would adding Threatfire really be a good idea?
     
Thread Status:
Not open for further replies.