Re: Can Exploit-ANIfile.c infect JPG files?

On Thu, 19 Apr 2007 14:40:53 -0400, "Russell L. Smith" <r dot l dot

A recent VirusScan log showed that VirusScan found a JPG file on my web site
infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
bulletin, the info on the McAfee site, and searched the net - I can find no
mention of this virus infecting JPG files. Can anybody point me to
documentation that mentions this virus infecting JPG files? Thanks for your
assistance.

You can put an exploit into any type of file.

Whether it will "get traction" depends on whether the OS is smart
enough to refuse to pass it to the exploitable surface.

For example, a smart OS will say "hey, this file is named as if it
were a .JPG file, yet this content is ANI" and then, being aware of
this, it will say "I'm NOT passing this content to the ANI
interpreter, I'm stopping right here with an alert".

A really stupidly-designed OS will say "oh look, here's some ANI
content that's been named as a .JPG; I guess this is just an honest
mistake, I'll pass it to the ANI handler".

Guess which behavior is likely with Windows?

I know ANI exploits sprawl over to .CUR and perhaps .ICO, but I dunno
about .JPG; I know that a previous WMF exploit did indeed spread to
..JPG, as a classic example of absent type discipline that greatly
enlarges the risk when some file format is found to be exploitable.


You may be able to knock some sense into Windows. Look in the details
of IE's security settings, for "open based on content, not extension".
Yep, that is set to ENABLED by duuuuuhfault for the Internet Zone and
presumably Trusted, Intranet and "My Computer", too. It is set to
Disabled for Restricted Zone, so there's at least some clue that this
is risky behavior... but hey, we can trust the Internet, right?


-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
----------------------- ------ ---- --- -- - - - -
.