30

I just received a .jpg file that I'm almost positive contains a virus, so I have two questions about what I am able to do with the image.

My first question originates from the fact that I opened the file once and the program I used to open it gave the error "invalid or corrupt image". So I want to know whether or not its possible a virus contained inside the image could still have been executed if the software did not 'fully' open the image?

My second question is if there is any way to decode/decompile the image data in order to better view its contents. Currently I'm using Notepad++, I just opened the file and am looking at its raw contents, which is one of the reasons why I'm so confident its a virus:

enter image description here

So is there a better way to find out what the virus does and how it works? I need to know whether or not my security has been compromised.

EDIT:

Reasons why I think it contains a virus:

  1. It's way bigger than the image I was expecting
  2. Scan
  3. Looking at contents in Notepad (file)
  4. The way the person who gave me the file acted
Glorfindel
  • 2,263
  • 6
  • 19
  • 30
kmecpp
  • 411
  • 1
  • 4
  • 7
  • 9
    May I ask why you are so certain the file contains a virus? It's pretty rare for image files to contain one. OTOH it's much more often to find an executable file 'posing' as image, by having a name `something.jpg.exe` and counting on stupid default windows settings to hide the real extension. – Torinthiel Nov 28 '15 at 21:16
  • 1
    @Torinthiel hah that's actually a neat way to get around that windows 'feature' but no, I have it set to display file extensions. As for why I'm so confident its a virus: 1) Its way bigger than the image I was expecting 2) Scan: http://bit.ly/1MWP9Ni 3) Looking at contents in notepad: http://kmecpp.com/factionbase.txt 4) The way the person who gave me the file acted – kmecpp Nov 28 '15 at 21:31
  • @kmecpp Even if you enable file extensions, unicode filename reversal can be used to hide that fact. – forest Jul 15 '18 at 00:39

5 Answers5

39

Based on the description at Virustotal you've linked to this is in reality not an image, but a real PE32 executable (normal windows executable). So only the file name extension was changed to hide the real purpose of the file.

PE32 will not be automatically executed when they have the .jpg extension like in this case. Also the image viewer which will be invoked with the file by default will not execute the code but instead exit or complain that this is not a valid image.

Thus this file would not work alone. But such files are typically used together with another file which will rename it to name.exe and execute it. This can be done by some batch file, with the help of the Windows Scripting Host ActiveX inside a website or mail or similar. This strategy is used to bypass antivirus and firewalls which might skip analyzing the "jpg" file because of the extension and will not find anything suspicious in the accompanying script (which only renames the file and executes it).

...if there is any way to decode/decompile the image data

Again, this is not an image but an executable so the tool of choice could be some disassembler, debugger, sandboxed execution etc. See also the analysis from Virustotal.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 2
    As far as disassembly, that bit of text in the screenshot looks suspiciously like a .NET class. And the linked text has references to `mscoree.dll` and `mscorlib`. So I'd try a .NET decompiler first (e.g. ILSpy). – Bob Nov 28 '15 at 23:45
  • Actually, one can just open it with Notepad++ (this is where it gets different from what the O.P. did) **before** doing anything else, copy the first human readable characters and google them. ZM and MZ indicate a Windows Executable. JFIF indicates a jpeg image. PNG is used for, well, png images. – Ismael Miguel Nov 29 '15 at 02:41
  • 14
    I opened up the text file and the first human readable thing I see is `This program cannot be run in DOS mode.` Totally an image file. – cat Nov 29 '15 at 04:59
  • 1
    @sysreq Well, I don't know how the O.P. let something **so visible** escape. For real! But I was talking in the first 4-8 bytes. Still, I don't know how something like that escaped the O.P.. – Ismael Miguel Nov 29 '15 at 12:56
  • 2
    @sysreq: It is easy to embed into a JPEG file a string and it should be possible to embed a whole PE32 binary (as fake thumbnail or similar). So just the occurrence of this string somewhere inside the file means not much, whereas the first magic bytes of the file indicate much better what kind of file this is (but beware of ZIP or PDF files which can have junk at the beginning). Not everything which looks obvious is actually true. – Steffen Ullrich Nov 29 '15 at 13:12
  • 1
    At the bottom of the file it says "O r i g i n a l F i l e n a m e f a c t i o n b a s e . e x e" and a product version of 1.0.0.0. An interesting image for sure. – Spotlight Nov 29 '15 at 15:12
  • 1
    FYI the executable does not need a valid executable extension to be executed. – user69874 Oct 09 '16 at 05:02
  • @user69874 is right. It's explorer.exe that does the decision to invoke a program configured to open the file based on its extension. The Windows command line cmd.exe first tries to execute everything. Therefore, there's no need for renaming before running it from a .bat, .cmd etc. – Esa Jokinen Mar 09 '19 at 08:02
12

Re. question 1:

This does not look like a JPG at all. It has the magic "MZ" characters at the beginning of the file that signifies "Windows Portable Executable File". Also your VirusTotal report points in that direction: simply an EXE file that does not actually have ".EXE" as the file name suffix.

In contrast a JPG file should have the following four non-ASCII-printable bytes at the very beginning of the file: ff d8 ff e0

So any image viewer that does even the most basic checking of its input file should detect this straight away and not even try to process any further. Therefore I don't think it's likely that you infected your computer by trying to open that file with an image viewer.

Re. Question 2:

See above. It's not an image file at all. And there is no simple instruction for executable reverse engineering. It's complicated stuff.

I suggest you just upload it to all the online anti virus scanners that you can find. Some of them run sandbox environments and will give a report on what the process tried to change. (You may have to rename the file to have the ".EXE" suffix before you do that. So be careful. Or better yet: rename and submit it from a Linux or Mac machine that can't even execute Windows EXEs by accident.)

Update 2016-11-21: Some scan results

StackzOfZtuff
  • 17,923
  • 1
  • 51
  • 86
5

"So i want to know whether or not its possible a virus contained inside the image could still have been executed if the software did not 'fully' open the image?"

Given the other answers say that it is a PE executable, it's very unlikely that you've done anything harmful by opening it in an image editor/viewer. Image viewers generally look at the first few bytes of a file to determine its file type and then bail with an error if it doesn't match known signatures. The introduction of most file formats is what is known as a "magic number" - almost every file format has one. Magic numbers allow readers to perform a sanity check on the file data before attempting to process garbage.

If it were a legitimate image file, it is important to note that there have been buffer overflows over the years that exploited the way certain image parsers worked in various software libraries. A few exploits were discovered a few years ago for crafting a special image to exploit various library weaknesses in some of the most popular libraries out there that image editing and viewing software uses. Obviously, as holes are discovered, they are patched but it is up to each software vendor using the library to update their software and then every user of that software has to update the software. That process can take significant time to complete.

But in your case, no, it's probably just a badly named EXE and your machine is probably just fine. Which also likely means that everyone they spammed with that message received an equally malformed filename and the recipients also can't open it. Malware delivery fail. Score one for stupid.

My second question is if there is any way to decode/decompile the image data in order to better view its contents?

There are tools to dissect PE files (high level section breakdown). Looks like .NET might be involved in this case. I've not had to do any disassembling in a while. There are both free and commercial reverse-eningeering tools out there for .NET binaries. Obviously, if you pay money for a tool like that, it will generally be significantly better than the free tools.

That all said, if you think your machine has been compromised, disconnect it from all networks and probably turn it off until you can reinstall the OS. The last thing you want/need is Cryptowall and a bonus rootkit to get installed. Reinstalling an OS is the only option these days for a malware infestation. Most of the malware deployed via e-mail today are just small downloaders for going and getting more malware from the Internet. Once there is a small foothold, it is game over for the OS.

Finally, don't open strange attachments from weird people.

CubicleSoft
  • 190
  • 4
1

If you are sure the file contains a virus, then yes, it's possible that even with this message the virus might have been activated. E.g. buffer overflow in your image viewing program. Exact answer depends however on the exact virus mechanism and exact program.

As for better viewing - use any hex editor as a first step. But note that whatever tool you use it requires a lot of specific skill to properly analyse a virus, a lot of knowledge about OS, libraries, file formats and programs one uses.

Torinthiel
  • 279
  • 1
  • 5
0

As far as I remember, the only way to execute a virus in a jpg file is a specific Windows vulnerability involving a special RTL (right-to-left) character in the filename, which will cause the filename to be parsed right to left. If for example you got the file with the any name similar to exe.whatever.jpg or tab.whatever.jpg, you might be facing this. The application might also be written to have the same icon that Windows Photo Viewer has, and the attack is pretty disguised.

Rápli András
  • 2,144
  • 1
  • 11
  • 24