Can a .GIF contain a virus?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Can a .GIF contain a virus?

I was sent an email from someone I do not know.  There was no text in
it, just two .GIF files.  The message ID number (using arin.net) was
invalid.  My email software does not view anything except plain text.
HTML is viewed as text too.  I have to manually open attachments too.
Because of this, I was never exposed to any viruses or spyware.
I deleted the message and the gifs, so it's gone.

I used to feel safe opening pictures, but heard that some can now
contain a virus.  Can a .GIF contain one?

Thanks

TJ

Re: Can a .GIF contain a virus?

tjwatkins@nospam.com wrote:

Quoted text here. Click to load it

Maybe.


Chances are it was one of those stock scams where the entire spam
message is in the image file, a picture of text. They do it to get
around text filters.

Quoted text here. Click to load it

At least you are practicing Safe Hex, and are in good shape.

Quoted text here. Click to load it

I'll let someone else answer that.

--
   -bts
   -Warning: I brake for lawn deer

Re: Can a .GIF contain a virus?

Quoted text here. Click to load it

Betcha! And .jpegs too. :-(

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it


Image files such as gif and jpg format contain no executable code, so
how are they supposed to contain a virus?

Re: Can a .GIF contain a virus?

Quoted text here. Click to load it

A brief description. Note the date..2002. They've been around a while.

http://www.internetnews.com/dev-news/article.php/1365871

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it
|
| A brief description. Note the date..2002. They've been around a while.
|
| http://www.internetnews.com/dev-news/article.php/1365871

The W32/PerRun needs an extractor.

Read a previous thread about Trojans being appended to JPEGs but still needing
an extractor.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Can a .GIF contain a virus?

Couple of links re: .gig/.jpeg malware.

http://www.microsoft.com/technet/security/advisory/912840.mspx

http://www.f-secure.com/news/items/news_2004100500.shtml

Re: Can a .GIF contain a virus?


| Couple of links re: .gig/.jpeg malware.
|
| http://www.microsoft.com/technet/security/advisory/912840.mspx
|
| http://www.f-secure.com/news/items/news_2004100500.shtml

That's NOT a virus.  That a vulnererability in the Graphics renderer/GDI+

Most famous is a faux WMF file klnown as the WMF-Exploit.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Can a .GIF contain a virus?

On Wed, 12 Jul 2006 15:00:00 -0500, tjwatkins@nospam.com wrote:

Quoted text here. Click to load it

Too bad you got rid of them. I would have liked to check them out.
See my web site for JPG-SCAN. This scanner detects one particular
series of JPG files containing embedded malicious code. The files
themselves are harmless enough and they can be viewed in a
image viewer. They cannot be Run since they aren't executeable, as
such. It requires companion malware to extract, decrypt and Run
the embedded malicious code.

To answer your question, yes, malicious code can be embedded
in or appended to any file. There's nothing new about that. Some
methods are far more sophisticated than others. In some cases,
the malicious code is "mixed in with" the image portion of the file
in a way that's not too noticeable to the human eye when the
image is viewed. Look up the word "steganography" if you're
interested in reading up on it.

Art
http://home.epix.net/~artnpeg

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it


That makes sense. Thanks Art.

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it

Next time I'll save a file like that and send it to you.

I am looking at your web page and just downloaded the file.

I got a question.  I thought about this right off the bat.
If I get a .JPG or .GIF that does contain malware, and edit it with a
graphic editor (I normally use an older version of Paint Shop Pro),
will the malware still exist in the file after I edit it?  For
example, lets say I get a pic of a dog, and it has "red eye".  So I
open the file with PSP, and darken the red in the eye, and save the
repaired picture.  After I save it, will the malware remain, or did my
editing destroy it?  To fix the red eye, I probably changed 10 pixels
at most.  But what else did I change?  Did I destroy the malware
(assuming it had some).

I'm asking, because if I get a suspicious picture, it's easy enough to
open it in my photo editor, and simply change one pixel along the
border, or in a cloud, or any inconspicuous place, and save the photo.
If the editing destroys any malware, that would be an easy way to
solve the problem. (if it works that way).  I have played with enough
graphics that I know how to change any picture and no one will notice.

TJ

Re: Can a .GIF contain a virus?

On Thu, 13 Jul 2006 02:58:55 -0500, tjwatkins@nospam.com wrote:

Quoted text here. Click to load it

Thanks. My email addy is the README.TXT included in JPG-SCAN.ZIP.

Quoted text here. Click to load it

Clearly, you have in mind one of the more sophisticated steganographic
methods where the code is "mixed in with" the image. Altering the
brightness slightly has been suggested as a possible method of
neutering the malware in that case. But where are you going with
this? Toward a _practical_ and sure-fire method of batch processing
all image files to clean them? Lotsa luck proving it out for all
possible steganographic methods :)    

Quoted text here. Click to load it

As I implied, I'm not aware of any general sure-fire methods along
those lines that can be proven to work in all possible cases.

In the case of the type of image files JPG-SCAN is designed to detect,
the image itself is not "infested". The malicious code is simply
appended to the end of the file. Now, it so happens that if Irfanview
(a freeware image viewer) is used to simply Save the file, it strips
off the appendage, thus neutering the file. But from a practical
POV, it's far better to use my JPG-SCAN program instead of batch
processing all your image files through Irfanview. For one thing,
my scanner doesn't alter your legit JPG files in any way. Irfanview
does. If you choose 100% quality, the file sizes increase by a
large factor without increasing image quality.

So, the idea of using a converter (it's called) is one that's not
easy to follow up on in a practical or simple way. Much work
and theoretical proofs would have to be done. It would be a
enormous task.

Art
http://home.epix.net/~artnpeg


Re: Can a .GIF contain a virus?

On Wed, 12 Jul 2006 15:00:00 -0500, tjwatkins@nospam.com wrote:

Quoted text here. Click to load it

BTW, I failed to mention the usual newbie warning concerning so-called
hidden file extension tricks that are often used. One trick is to pad
the file name with spaces as:

sexypic.gif                                 .exe

where the actual .exe file extension might well be missed in casual
observation. In such cases, the file isn't a image file at all, but
a executeable file.

Another trick is:

sexypic.gif.shs

where Windows hides the .shs (executeble scrap file) extension
and it looks like:

sexypic.gif

Anyway, it looks to me like you have some knowledge of "safe
hex" and you did precisely the right thing by deleting the
unsolicited email attackments :)

Art
http://home.epix.net/~artnpeg

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it

You don't need to put spaces then exe just change the extension from
exe to jpg.  If someone Double Clicks on a file even a file with the
wrong extension it will still launch the program.

Never Double Click on anything you get in e-mail even if its not an
exe file it could still be a virus or a worm.

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it


In what operating system and under what conditions? Seems to me
I've heard of Win XP pulling strange stunts like that where it
examines the file type and will actually execute a file with, say,
a .jpg file extension that's actually a EXE or other executeable
file. But on other (saner) versions of Windows, it goes by file
extension and not file type.

Art
http://home.epix.net/~artnpeg

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it

It will only do that if the "wrong" extension isn't associated with
something else. For example, if Irfanview is associated with jpegs, a
word .doc renamed to .jpg will attempt (and fail) to open in Irfanview
whereas renaming it to .h1z will probably open it successfully in ms
word.


Jim.


Re: Can a .GIF contain a virus?


Quoted text here. Click to load it

I dont understand this.  If I open a file with .JPG extension, my
picture viewer software tries to open it, and gives me an error
message.  I just tried it, using a safe .EXE file (notepad.exe).
I backed up notepad.exe, then renamed the backup file to notepad.jpg.
My photo viewer tried to open it, gave me a blank screen and an error
message that said "Invalid Format".

By the way, I am running Win98SE.

And, yes, I have received several files named something like
something.jpg                  .exe
I watch for that, and they immediately go to the trash.

TJ

Re: Can a .GIF contain a virus?

On Thu, 13 Jul 2006 02:46:12 -0500, tjwatkins@nospam.com wrote:

Quoted text here. Click to load it

In Win 2000 and everything after that Windows using it own software to
run programs unless you change Windows setting.  

Re: Can a .GIF contain a virus?


Quoted text here. Click to load it

That is one of many reasons I do not care to upgrade.  Win98 works
just fine for my needs, since I dont play games or need lots of power.
I like the idea that "I" am still in control of my computer.  I have a
friend that uses XP and is always telling me that her computer does
things she did not authorize, then asks me if I can fix it.  My answer
is NO.  I wont even touch XP.  If it was Win95, 98, or ME, not a
problem....  

Re: Can a .GIF contain a virus?


| Can a .GIF contain a virus?
|
| I was sent an email from someone I do not know.  There was no text in
| it, just two .GIF files.  The message ID number (using arin.net) was
| invalid.  My email software does not view anything except plain text.
| HTML is viewed as text too.  I have to manually open attachments too.
| Because of this, I was never exposed to any viruses or spyware.
| I deleted the message and the gifs, so it's gone.
|
| I used to feel safe opening pictures, but heard that some can now
| contain a virus.  Can a .GIF contain one?
|
| Thanks
|
| TJ

I just received a sample named "UPX.GIF"

BitDefender   7.2   07.16.2006   Dropped:Trojan.Spy.HAKvip.A
DrWeb   4.33   07.15.2006   Trojan.PWS.Lineage
Kaspersky   4.0.2.24   07.16.2006   Trojan-Spy.Win32.Agent.nf
McAfee   4807   07.14.2006   Exploit-CodeBase.chm
Panda   9.0.0.4   07.15.2006   Suspicious file
VBA32   3.11.0   07.15.2006   suspected of Trojan-PSW.Lineage.3

It could be a file that was renamed to .GIF but I haven't really looked at its
contents to
know for sure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline