what is JPG: MS04-028 [EXPL] ?

[babyhotline]

(I'm on macOS, Avast security 14.2)

So earlier I did a deep scan and it flagged two files (an .asl log file and a com.avast.chest.tmp file) as JPG: MS04-028 [EXPL].
I'm aware that this board is mainly for PCs but most of the information I could find about the JPG:MS04-028[EXPL] threat are on Windows computers and were also JPEG files.

I sort of drew the conclusion that these could be false positives, but I'm also a bit sus since I don't know what these files exactly are (which I've posted a question about on the Mac Security board). I'd also like an explanation of what JPG:MS04-028[EXPL] is and if it is a JPEG file threat why it's showing up on files that aren't JPEG. If it helps I've sent both files for review.

Thanks.

[Pondus]

EXPL = exploit

Upload files to www.virustotal.com post link to scan result

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3AWin32%2FMS04028!jpeg

[Michael (alan1998)]

Hi Baby,

In short, MS04-28 is an exploit involving JPEG images. Without boring you with technical details, it relates to an incorrectly crafted header, specifically in relation to length.

The PoC (Proof of Concept) I found relates to crashing ones system (DoS Attack - Denial of Service), but with additional shellcode and pointer overwrites, it can be used to execute additional commands (in "shell code"). This exploit is very old, dated from 2004. Because of the nature (specially crafted headers) this exploit was designed for that image. It could be done for others, but you likely got the image from somewhere else.

Please upload that file to dropbox (ZIP it, with a password "infected" and drop a link here.)

If you opened that file, please run and attach logs files found here: https://forum.avast.com/index.php?topic=194892.0

[Pondus]

If you opened that file, please run and attach logs files found here: https://forum.avast.com/index.php?topic=194892.0

No can do @Michael (alan1998) .... he is on a Mac   

and the exploit is for windows Os

[Michael (alan1998)]

I missed that part. While the payload may not work on his system, it still likely exists. Assuming it does exists, Avast's detection is correct, regardless of it's functionality in modern day times and operating systems.

Edit: jesus I need to learn to read. Temp (.tmp) and Photoshop (.asl). Threat likely doesn't exist in the temp file, but may in that ASL file.

[babyhotline]

I missed that part. While the payload may not work on his system, it still likely exists. Assuming it does exists, Avast's detection is correct, regardless of it's functionality in modern day times and operating systems.

Edit: jesus I need to learn to read. Temp (.tmp) and Photoshop (.asl). Threat likely doesn't exist in the temp file, but may in that ASL file.

The .asl file was found in private/var/log and after doing a bit of research, it was a system log file that can be removed safely without corrupting my laptop or something. I've already gone ahead to remove it after it was placed in my virus chest, and my system seems to be doing fine. As for the  .tmp I'm assuming it's a temporary file of Avast's chest? It's called "com.avast.chest.6070214.tmp". Yesterday I recovered the .tmp file and tried uploading it to VirusTotal, but it wouldn't work, so I just put it back into the Virus Chest after that. If its deletion doesn't affect my system I may resort to deleting it.


Also, to clarify, I have not opened any of the files since discovering them.

[Michael (alan1998)]

Leave it in Avast!'s quarantine then.

MS02-028 poses no threat to macOS, and log files shouldn't either.

[babyhotline]

Leave it in Avast!'s quarantine then.

MS02-028 poses no threat to macOS, and log files shouldn't either.

Alright, that's a relief. Apologies for not being too educated on the topic haha. Thank you!

[Michael (alan1998)]

No worries - We all have our shortcomings in knowledge.

I don't know much about mechanical work - but I try what I can. Exactly what you did, tried to understand it on your own and sought help when you didn't quite understand. No shame in that! It just happens that I know more about computers (and security) then your average joe. Though admittedly I know more about Linux and Windows then macOS .

Stay safe out on the interwebs.

Cheers,
Mike