Security researchers are seeing the first signs of a large-scale
virus attack taking advantage of a known flaw in the way JPEG images are
processed in Microsoft Windows products.
Just days after warning
that proof-of-concept exploits were circulating, the SANS Internet Storm
Center (ISC) said it had received reports that a “GDIplus.dll” exploit
embedded on porn images was making the rounds on adult newsgroups.
Microsoft has already released a patch to fix the way GDI libraries
handle JPEG processing, and it released a scanning tool
to help detect the presence of products that
contain the GDI+ component and determine whether a security fix should
In addition to adult images on Usenet, the ISC said it was
investigating reports that the profile feature in America Online’s AIM
instant messaging product was being used to entice users to view
malicious JPEG files.
The basic method is to attach GDI exploits to profiles on AIM. The
attacker then sends messages to get the user to go look at the user
profile that has a .JPEG with the GDIplus.dll exploit in it,” the Center
said in an advisory.
The exploit only uses the AIM user profile feature to propagate
itself and does not target any vulnerabilities in the AIM software.
Anti-virus firm Symantec
has released advisories
for two Trojan Horse programs exploiting the GDI+ library flaw described
in Microsoft’s MS04-028
Symantec has updated its virus definitions to protect from
which has been programmed to download an .EXE file from a Web
site. Symantec rates the Trojan Moo threat as “low.”
The company also warned that a backdoor Trojan exploiting the same
flaw was making the rounds. Symantec said the Trojan is capable of
connecting to a predefined IP address to start a command shell on an
infected system. A command shell allows an attacker to download and
execute harmful code from a predefined domain.
Removal instructions for the backdoor can be found