Can Exploit-ANIfile.c infect JPG files?

A recent VirusScan log showed that VirusScan found a JPG file on my web site
infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
bulletin, the info on the McAfee site, and searched the net - I can find no
mention of this virus infecting JPG files. Can anybody point me to
documentation that mentions this virus infecting JPG files? Thanks for your
assistance.

"Russell L. Smith" <r dot l dot smith at caci dot com> wrote in message
news:eUfoGJrgHHA.3960@TK2MSFTNGP02.phx.gbl...
>A recent VirusScan log showed that VirusScan found a JPG file on my web
>site infected with Exploit-ANIfile.c (Trojan). I read the Microsoft
>security bulletin, the info on the McAfee site, and searched the net -
>I can find no mention of this virus infecting JPG files. Can anybody
>point me to documentation that mentions this virus infecting JPG files?
>Thanks for your assistance.

"This is a very serious vulnerability that is almost certain to be
exploited on a wide-scale basis," ZERT member Randy Abrams said in an
emailed statement. "If the vulnerability were limited to animated
cursors alone it would not be as serious, but there are reports of .jpg
files, which are very commonly used in Web pages, being exploited as
well.":
http://searchsecurity.techtarget.com...249803,00.html

HTH,
-jen

From: "Russell L. Smith" <r dot l dot smith at caci dot com>

| A recent VirusScan log showed that VirusScan found a JPG file on my web site
| infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
| bulletin, the info on the McAfee site, and searched the net - I can find no
| mention of this virus infecting JPG files. Can anybody point me to
| documentation that mentions this virus infecting JPG files? Thanks for your
| assistance.


It isn't a JPG file. Exploits don't "infect". I don't need to point to you to ANY
documentation. I have seen many web sites alreadt using files named *.JPG that are
ANI-Exploit files. I bet the JPG file is less then 2KB and most likely between .5KB and
1KB in size.

If a JPG was was found on YOUR web site that had the "Exploit-ANIfile.c" then most likely
your web site has been hacked, the JPG was placed there and there is a HTML file with a
Javascipt or someother script being using to infect computers that access your web site.

You web server needs to be removed from the internet, the system thoroughly scanned and
all vulnerabilities that led to teh systenm being hacked mitigated ASAP !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23jrgcytgHHA.4140@TK2MSFTNGP05.phx.gbl...
> From: "Russell L. Smith" <r dot l dot smith at caci dot com>
>
> | A recent VirusScan log showed that VirusScan found a JPG file on my web
> site
> | infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
> | bulletin, the info on the McAfee site, and searched the net - I can find
> no
> | mention of this virus infecting JPG files. Can anybody point me to
> | documentation that mentions this virus infecting JPG files? Thanks for
> your
> | assistance.
>
>
> It isn't a JPG file. Exploits don't "infect". I don't need to point to
> you to ANY
> documentation. I have seen many web sites alreadt using files named *.JPG
> that are
> ANI-Exploit files. I bet the JPG file is less then 2KB and most likely
> between .5KB and
> 1KB in size.
>
> If a JPG was was found on YOUR web site that had the "Exploit-ANIfile.c"
> then most likely
> your web site has been hacked, the JPG was placed there and there is a
> HTML file with a
> Javascipt or someother script being using to infect computers that access
> your web site.
>
> You web server needs to be removed from the internet, the system
> thoroughly scanned and
> all vulnerabilities that led to teh systenm being hacked mitigated ASAP !

Thanks for the response. I think you are saying some vulnerability with the
server allowed the JPG to replaced with a malicious ANI masquerading as a
JPG. I am trying to figure out the sequence of events. The server was
started after a scheduled building power outage. A developer coincidentally
noticed less than 24 hours later that the VirusScan on-access scanner was
disabled. I have noticed this very occasionally happens on restart with
some of my internal development servers. The server was immediately pulled
off line and fully scanned (VirusScan plus tools used our security group to
check ports, vulnerabilities, patches, etc.). That was when VirusScan
reported this JPG with Exploit-ANIfile.c. The log states the file was
deleted so I don't know if we still have it in quarantine. I am scheduled
to meet with the developer when he returns from a trip to get more details.
At this point I have no idea how the "fake" JPG got there, and that is
obviously important.

From: "Russell L. Smith" <r dot l dot smith at caci dot com>


|
| Thanks for the response. I think you are saying some vulnerability with the
| server allowed the JPG to replaced with a malicious ANI masquerading as a
| JPG. I am trying to figure out the sequence of events. The server was
| started after a scheduled building power outage. A developer coincidentally
| noticed less than 24 hours later that the VirusScan on-access scanner was
| disabled. I have noticed this very occasionally happens on restart with
| some of my internal development servers. The server was immediately pulled
| off line and fully scanned (VirusScan plus tools used our security group to
| check ports, vulnerabilities, patches, etc.). That was when VirusScan
| reported this JPG with Exploit-ANIfile.c. The log states the file was
| deleted so I don't know if we still have it in quarantine. I am scheduled
| to meet with the developer when he returns from a trip to get more details.
| At this point I have no idea how the "fake" JPG got there, and that is
| obviously important.
|

I am NO Computer Forensics expert.
However, you do need to check all logs. Also, look for HTML or other ASCII script files on
the server that may have pointed to the JPG file. There must be downloadable code used in
conjunction with the ANI-Exploit to infect unsuspecting computers.

Please do make sure that ALL software on the server is patched and is Up-To-Date to mitigate
and exploitable vulnerabilities that may have led to the hacking of then server. Also check
all accounts and security measures to make sure all passwords are STRONG and the site is
secured.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Thu, 19 Apr 2007 14:40:53 -0400, "Russell L. Smith" <r dot l dot

>A recent VirusScan log showed that VirusScan found a JPG file on my web site
>infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
>bulletin, the info on the McAfee site, and searched the net - I can find no
>mention of this virus infecting JPG files. Can anybody point me to
>documentation that mentions this virus infecting JPG files? Thanks for your
>assistance.

You can put an exploit into any type of file.

Whether it will "get traction" depends on whether the OS is smart
enough to refuse to pass it to the exploitable surface.

For example, a smart OS will say "hey, this file is named as if it
were a .JPG file, yet this content is ANI" and then, being aware of
this, it will say "I'm NOT passing this content to the ANI
interpreter, I'm stopping right here with an alert".

A really stupidly-designed OS will say "oh look, here's some ANI
content that's been named as a .JPG; I guess this is just an honest
mistake, I'll pass it to the ANI handler".

Guess which behavior is likely with Windows?

I know ANI exploits sprawl over to .CUR and perhaps .ICO, but I dunno
about .JPG; I know that a previous WMF exploit did indeed spread to
..JPG, as a classic example of absent type discipline that greatly
enlarges the risk when some file format is found to be exploitable.


You may be able to knock some sense into Windows. Look in the details
of IE's security settings, for "open based on content, not extension".
Yep, that is set to ENABLED by duuuuuhfault for the Internet Zone and
presumably Trusted, Intranet and "My Computer", too. It is set to
Disabled for Restricted Zone, so there's at least some clue that this
is risky behavior... but hey, we can trust the Internet, right?


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -

From: "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org>


|
| You can put an exploit into any type of file.
|
| Whether it will "get traction" depends on whether the OS is smart
| enough to refuse to pass it to the exploitable surface.
|
| For example, a smart OS will say "hey, this file is named as if it
| were a .JPG file, yet this content is ANI" and then, being aware of
| this, it will say "I'm NOT passing this content to the ANI
| interpreter, I'm stopping right here with an alert".
|
| A really stupidly-designed OS will say "oh look, here's some ANI
| content that's been named as a .JPG; I guess this is just an honest
| mistake, I'll pass it to the ANI handler".
|
| Guess which behavior is likely with Windows?
|
| I know ANI exploits sprawl over to .CUR and perhaps .ICO, but I dunno
| about .JPG; I know that a previous WMF exploit did indeed spread to
| .JPG, as a classic example of absent type discipline that greatly
| enlarges the risk when some file format is found to be exploitable.
|
| You may be able to knock some sense into Windows. Look in the details
| of IE's security settings, for "open based on content, not extension".
| Yep, that is set to ENABLED by duuuuuhfault for the Internet Zone and
| presumably Trusted, Intranet and "My Computer", too. It is set to
| Disabled for Restricted Zone, so there's at least some clue that this
| is risky behavior... but hey, we can trust the Internet, right?
|

Attached is a perfect example.

It is a screen capture of an Avira submission report based upon files I submitted Yesterday.

Note the file "0day.jpg" a 802 Byte file was reported as...
"The file '0day.jpg' has been determined to be 'MALWARE'. Our analysts named the threat
EXP/Ani.Gen"

As I said early on in this thread...
"I bet the JPG file is less then 2KB and most likely between .5KB and 1KB in size."

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Tue, 24 Apr 2007 18:47:26 -0400, "David H. Lipman"
>From: "cquirke (MVP Windows shell/user)"

>| You can put an exploit into any type of file.
>| Whether it will "get traction" depends on whether the OS is smart
>| enough to refuse to pass it to the exploitable surface.

>| I know ANI exploits sprawl over to .CUR and perhaps .ICO, but I dunno
>| about .JPG; I know that a previous WMF exploit did spread to .JPG

>Attached is a perfect example.

>It is a screen capture of an Avira submission report based upon files I submitted Yesterday.

>"The file '0day.jpg' has been determined to be 'MALWARE'. Our analysts named the threat
>EXP/Ani.Gen"

Hmm... in this XP SP2 PC, I tried renaming an .ANI as .JPG, and it
"opened" in the MS viewer that usually shows .JPG, which stated the
file wasn't displayable. I then tried the same in IView, which said
"this is an .ANI named as a .JPG; rename?"

The trouble with this sort of testing is that this PC has no default
action for .ANI files, so I can't tell whether the content within the
renamed .JPG was ever being handled as .ANI



>-------------------- ----- ---- --- -- - - - -
Tip Of The Day:
To disable the 'Tip of the Day' feature...
>-------------------- ----- ---- --- -- - - - -

From: "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org>


|
| Hmm... in this XP SP2 PC, I tried renaming an .ANI as .JPG, and it
| "opened" in the MS viewer that usually shows .JPG, which stated the
| file wasn't displayable. I then tried the same in IView, which said
| "this is an .ANI named as a .JPG; rename?"
|
| The trouble with this sort of testing is that this PC has no default
| action for .ANI files, so I can't tell whether the content within the
| renamed .JPG was ever being handled as .ANI
|

I think it is how the web page loads the JPG (ANI Exploit) as content on a miscreant web
site.

I have seen ANI Exploits in; HTML, JS and JPG files.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm