Re: [Declude.Virus] Fprot GDI Scanner lines.

[Matt]

Yes, I doubt that in the early examples, there will be a need to do anything but pump out automatically executing E-mails with bogus JPG's.  Over time infected JPG's might very well become a standard method of infection in along with all of the various forms which may include infected JPG's within encrypted zips.  If I was a virus writer and opportunity was becoming more limited by E-mail virus scanners, I would look to include this method.  I believe it will happen eventually. BTW, you forgot to mention the possibility of a Code Red type of exploit where a worm crawls from server to server and installs it's automatically infecting payload on the sites that it infects.  With most desktop virus scanners not bothering with image files as is, a visit to an infected Web site with an unpatched version could mean rapid infection.  They only need a good method of spreading from server to server, and there's a new XML exploit that might be prime for this, but note that I'm not sure if that can be attacked by way of HTTP connections. The only caveat here is that it seems that if people have been keeping up to date with patches, it's possible that things like IE and Outlook could have been fixed for this flaw for months.  Microsoft has been sneaking out the fix since at least May so it's had some time to propagate within their products.  I don't expect that apps by other companies will be likely to be host to the infection since they typically don't handle the files directly from the Internet, and most of course aren't using Microsoft's code for this.  I do a lot of graphic design work and haven't found a non-MS app yet that had a vulnerable version of GDI on all of the machines that I own. Matt Sanford Whiteman wrote: It seems fairly certain that this virus will be released within an encrypted zip Maybe, maybe not. The easiest way to get a payload delivered via e-mail right now is certainly to just pop a JPEG directly into an HTML message and rely on unpatched Outlook to render it; remember, launching a JPEG from an archive may end up launching a full-fledged photo editor that may not even be a Microsoft product. Another e-mail-driven infection vector will be messages from "known senders" with clickable text that simply generates an image/jpeg response stream for unpatched IE. EZIPs aren't my worry with this one. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] ------------------------------------ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================