MS04-028 JPEG

[dkeat]

Greetings

I have a friend who sent me a bunch of pictures in JPEG format. Since then whenever I open MS Picture Gallery Avast lets off a barrage of about 6 warnings that the virus in the title above has been detected (Malware). I "instructed" Avast to delete the files, but it apparently can not do so as it continues in the same fashion each time I open the gallery. Putting the files in the virus container does not help either. When I open the gallery I get the warnings again. I informed the friend and he ensures me that he has scanned his system and there is nothing there.

I am beginning to wonder what is going on here. I am reluctant to delete the pictures completely, yet this situation is making it truly annoying to use MS Picture Gallery.

If anyone could help with this it would be greatly appreciated.

Dave

[Lisandro]

Maybe they're false positives. To know if a file is a false positive, please submit it to VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
Other possibility is JOTTI. VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

Rather then infected, the files could have been detected as an 'exploit'. But I'm not an expert on this.

[DavidR]

First, deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate. As Tech mentions, VirusTotal, etc. I would suggest you pause the Standard Shield and move the suspect files to a temporary folder, c:\suspect will do and exclude that folder c:\suspect\*.jpg as Tech mentions. When you upload them to VT standard shield won't alert.

Second, because you are using MS Picture Gallery that may be the reason the files can't be deleted (not that you should do that) and as such are in use and or protected by windows. I don't know how MS Picture Gallery works, but if you can exclude the suspect folder if it would otherwise be included in the gallery.

MS04-028 is the jpeg exploit patch that is why the malware that tries to exploit .jpgs is named in that way.

[igor]

Just as Tech wrote, please submit some of the detected files to virus@avast.com
(if you do, please post a note about it here).
Thanks.

[Tarq57]

This could be the reason: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=40248
If you are confident in the source, and it sounds reasonable to be so, try renaming them, if possible. By a (probably) pure coincidence, the jpeg name has the same as the Ms security advisory, and the Win32 malware.

[dkeat]

Greetings!

First of all, thank you very much to all who replied!

After a bit of dicking around I managed to set the SMTP parameters and send the files (I hope) from the container to Alwil.

As an additional bit of data, the malware is never detected when I conduct a normal scan. It is only when I open the Windows Picture Gallery that I set off alarms. And yes, it is the "exploit" that is being detected. Virus or not, it certainly creates a constant pain in the ass.

Dave

[Lisandro]

a constant pain in the a...

Dave, there are children in the forum

Hope the virus analysts could help here soon...

[jrodrigosm]

Hello!

I am experiencing the exact same problem: I am working (on Vista) on a bunch of photos taken with my own camera. When I use Picasa to make the edits everything goes fine; however when I use Windows Photo Gallery to open and edit the pictures Avast starts to issue constant warnings (the same ones that were mentioned above).

After doing some research on the web, this seems to be a false positive: when Windows Photo Gallery opens the pictures, it does so by creating a new .tmp file that it modifies somehow; Avast heuristics understands this modification to be an exploit, and warns the user about it.

The question is: Is there any way for Avast not to report this as a problem? I don't think excluding the original .jpgs from being scanned is going to work, given that Avast finds the issue not in the original files, but in the .tmp file created by Windows Photo Gallery.

Thanks in advance for your help!

[dkeat]

Well, I never heard back from the company about the problem and I got tired of it. It does seem to be false positive. I finally (reluctantly) removed the software and installed "Antivir" from "Avira" http://www.avira.com/en/pages/index.php. It is an excellent product. It includes a scheduler, is free for personal use and does not cause this false positive. Life is simpler now.

Good luck.

Dave

[igor]

I've seen the file (as least I think it was that one).
While it might be false positive in the sense that the file is not malicious (but just corrupted), the corruption is exactly the one as in the MS04-028 exploit. Almost everybody on VirusTotal detected it as well... so I think the detection is correct.