September 30, 2004 12:17 PM PDT

Image virus spreads via chat

A virus that exploits the recently discovered JPEG vulnerability has been discovered spreading over America Online's instant-messaging program.

Experts at the SysAdmin Audit Network Security, or SANS, Institute said the virus is still in its infancy, with the institute having received only two reports of infection so far.

"It's been done in the past, but with HTML code instead of the JPEG," said Johannes Ullrich, chief technical officer for SANS' Internet Storm Center, the organization's online-security research unit. "It is a virus, but it didn't spread very far. We've only had two reports of it."

According to the Internet Storm Center, the victims received AOL Instant Messenger messages that directed them to Web sites that hosted the dangerous JPEG images.

The instant messages read: "Check out my profile, click GET INFO!" When visited, the Web site automatically sends malicious code embedded in the JPEG image to the computer, Ullrich said. Once infected with the code, the computer sends the same message to other contacts in the instant-messenger list.

The code also installs a back door that can give hackers remote control over the infected computer. Antivirus expert Mikko Hypponen of F-Secure warned on Wednesday that the JPEG exploit can also dodge antivirus technology. By default, antivirus software only scans for .exe files. And even if users change the settings on antivirus software, the JPEG file name extensions can be manipulated to avoid detection.

"We haven't seen any damage reports of this worm," Hypponen added on Thursday. "I've seen some discussion, but our best estimate is that it hasn't got very far."

Microsoft issued a patch for the vulnerability on Sept. 14 but was unavailable to comment on the virus.

Next week, Microsoft is launching a beta version of its instant-messaging product, MSN Messenger. The product will not be available to the public until it has been tested by a small group of users, the company said.

Dan Ilett of ZDNet UK reported from London.

1 comment

Join the conversation!
Add your comment
aolclient program takes control
I having a problem on my computer and so far cannot find anything on the net to help me. Im not sure I can give all relevant information and in the correct order, by maybe by starting a dialog someone can help me clarify and figure out where to look. Let me also say that I am up to date on my security patches from Microsoft as of last week when I installed the latest 10. I am running Windows XP. I am typing this at work, so I dont have all my screen captures with me, but can send later if it helps.

Last night I updated my Mcafee. Next I ran Spybot and it found one item to delete. Ran Adaware and it found 64 tracking cookies to delete and 4 or 5 entries of an exploit/Byte that it quarantined. <I am at work now, but can get a screen shot to give specific names tonight, if that helps> I have had these exploit/bytes and tried the fix which was to disable the restore
function and restart after the quarintine, but they still appear on this scan and quarantine. I also ran the Microsoft Antispyware scan and all was fine there.

Later in the evening after being away from my computer and returning to it. I found maybe 4 messages on the screen looking to be from the aol instant messenger program, not the message box, but an alert kind of box... gray with a blue top border. Also the aol-im program box was on the screen, the one that you sign in on. The message reads as follows: AIM hyperlink you clicked on may require you to be online to work. Please log in first. I did not click ok, I closed the box.

As best I can remember after I closed the message box about signing on, I received an alert from the Microsoft Antispy saying a program/process
(dont remember exact wording) was trying to run. Did I want to block or allow. I remember the program was aol client or possible aolclient. As it was aol and it was up, I said Allow. THIS is probably one of the mistakes.
This also could have been after or while I was signing onto aol-im...the exact time this happened escapes me now.

I then signed onto my aol-im. Within a few minutes my away message box opens. At the top left is my name and then next was Valentine Inside the message box was a link to click. I believe from memory that it had a .pif extension. <I have a screen capture of this message box at home> Of course at no time did I click that link. I added my screen name to my buddy list
and sure enough, it showed the note pad by my name as if I had an away message running. If I close this away message box &lt;by the X at the top
right&gt; it eventually comes back after a few minutes. There are other people in the house that use this and if I switch to their screen names, it happens with their accounts too.

Things I did or noticed afterwards:
1) Usually when we select our screen names, our passwords are saved. I believe the second time I logged on, I had to enter my password. The first
time, I think it was there. My privacy setting was to let anyone contact me vs my normal setting of only people on my buddy list.
2) I cannot bring up my task box while this is happening. After I contol, alt, delete it appears but by the time I can click it, it is gone.
3) I restarted a couple of times and get a message from my AntiSpyware with Microsoft that I had opted to allow a program to start, a changed setting, I believe. I went into that area of the program and told it to block the program now. I am able to end a process via the spyware program. I find this in my running start up process: C:\windows\system32\aolcleint.exe
I can end the process there. When I end the process, my aol still works and I can use the control, alt, delete to get to the task manager and it doesnt disappear now.
4) I called Microsoft and do have a case#. But after being on hold for a long time and it winding into midnight, I hung up. At least I have a case number to refer to and can try again.
5) After turning off the computer, I turned off the internet connection at my cable modem.
6) I didnt think of looking at my add and delete programs to see if aolclient appears.
7) I filled out a form at aol/im security page trying to explain the problem.

That is pretty much my story to date. I have searched google for aolclient and find nothing. I was just sent this link.

Again, others in family use the computer. I told them of the problem, they didnt seem to have anything to add. They could have visited a site and had this whole problem start. Dont know for sure...the above is all I know for now.

Any help is appreciated as I am coming up blank. Thanks!
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.