On Tuesday, June 11, 2002, Peter Palmreuther wrote... JA>> Then how would you explain viruses spreading via the .jpg and JA>> .gif formats?
> Because the wide spread usage of Outlook and Outlook > Express?!?!?!?!!!!! Indeed > What happens is: this object is announced as an 'image' by a 'Content-Type: > image/jpg' or something similar. Yes... that is true. > This is no problem, but in fact the extension is e.g. '.pif' or '.bat' or > '.com'. Not always the case... I have mine set to not hide any file extensions at all, and have had three .jpg files on my PC that were infected with a virus, and on execution on our test machine (has no network connections, only a floppy drive for testing), attempting to open the files causes the browser (because it is an issue with IE in most cases that causes this) to 'execute' the image, the browser then returns the big red X to show it's not a valid image, but does in fact infect the machine. > This is no problem too ... except ... except the '<what ever tries > to handle the object>' does not enforce the object _trying to be > rendered as an image_ but executes a system call to 'start' the > object, WHICH FINALLY executes the '.pif' or whatever. In most recent cases this is true... Klez is just a pif in most cases, hidden as a .scr, .doc, .jpg by the content-type header. > So the problem ain't there's a '.jpg' _in name_, and the problem ain't > wrong rendering, but a wrong executed system call on an _executable_ file. Depends... if it's a double extension file, it always goes for the last extension, which would be a .pif, .com, .exe (etc), in which case, the image program (be it IE, photoshop, paintshop etc) wouldn't even load, and the *correct* program for executing that program will be called... here is an example, copy a standalone program, and rename it to <oldname>.jpg.exe... it still executes as a .exe and doesn't even load IE (in my case). > Disable the 'Hide file extensions for known file types' in your explorer > settings (not Internet Explorer!!! Explorer ... the file manager!) and > you'll see: none of these 'soooo dangerous' image files _is_ an image file. Not just known file types... just get it to always show the file types ;) That is one good thing about TB!, it warns you about double extensions, even if you don't have them visible. They changed some code in Outlook/Outlook Express recently that won't let you execute .exe files from inside the emails... a semi-good idea I guess. -- Jonathan Angliss ([EMAIL PROTECTED]) ________________________________________________________ Current Ver: 1.60q FAQ : http://faq.thebat.dutaint.com Unsubscribe: mailto:[EMAIL PROTECTED] Archives : http://tbudl.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] TBTech List: mailto:[EMAIL PROTECTED] Bug Reports: https://bt.ritlabs.com