Memory modification not detected?

When I run this spoofed jpg image, It starts a hidden window of InternetExplorer. Seems that spoofed jpg then modifies the memory of InternetExplorer( IE) and IE then in turn creates more copies of malicious executabels.

CFP D plus does not give any warning about memory modification. Is it some thing missing?
Any explanation from the developers will be appreciated. I can send the file if asked.


[attachment deleted by admin]


Anyone please?

Ok send it.
Im not a programmer neither a specialist but I can try it out.
Is it malicious or just a POC?

No, it,s a real malware. So are u willing to try it?


Just curiosity… Does that “.jpg” pulls the same trigger as a eq secure (mem. access/mod.) in CFP if you put *.jpg in groups of executables in “My Protected Files”?

I don,t expect so but I did not try. I will try it later.

Another one. This is with virus W32/Jefoo.A.

Infact it seems that Defence Plus is missing too many memeory modifications. I don,t know what is the issue.

[attachment deleted by admin]

Hmmm I dont see anything unsafe in third picture, If you wanna see prompt between two safe apps. you should run CFP in paranoid mode…


As for third alert set d+ to paranoid mode (like salmonela suggested) and make sure iexplore.exe is not already allowed to access explorer.exe in memory and not allowed to execute explorer.exe.

The popup from defense+ asking if malware.exe can access iexplorer.exe in memory was allowed or blocked?
If you allowed it then it is normal behavior that you didn’t received alert for the further actions of iexplorer.exe. This is because iexplorer.exe is considered safe. Try deleting the rules for iexplorer.exe and set defense+ to paranoid mode and disable 'learn automatically applications signed by comodo". In this case you should receive the second alert too…

Oh and the sample…if its malware, I cant test it right now. Im using my VM to test firewalls for and I haven’t got cfp installed at the moment…Maybe later, but thanks.

Hi Salmonela, goodbrazer and Blas.

Thanks for the reply.

About third alert you are right. I missed that point.

My first post is still a question. Here Defence + is not ginving an alert.

@ Blis

Sending you the file link via PM.


Please aigle, could you PM me with fake jpg (malware) link, also?
I would like to test it,

Out of curiousity, how do you run a JPG?

It’s not an executable extension and would merely call whatever app is registered to handle them.

Or do you mean that it is an EXE with a double extension of “.jpg.exe”?

Ewen :slight_smile:

I think you need an unpatched vulnerability or outdated software to run it in Internet explorer

Of course, you can always run a renamed executable in the command no matter the extension.


You’re not running the JPG, per se, you’re loading it into another application that may or may not have vulnerabilities. The flaw lies in the application, not the data file.

Ewen :slight_smile:

huh, yes, sorry for stupidity (:SHY)
I guess then, there is noting to test,
aigle, please tell me what is on that picture (jpg), maybe guys from eq security while clicking on useless prompts…

I should have added that a malicilously corrpted data file can act as a trigger to a vulnerability in an application and is therefore part of the overall problem, but is still not the root cause of the problem. The vulnerability of the application attempting to read the data file is the core of the problem.

Ewen :slight_smile:

I run it via cmd.exe.

[attachment deleted by admin]

which passes the file extension to Windows which looks up the associated executable which is then called and loads the jpg you have “run” from the command line.

Hi, I am totaly novice but I believe running a spoofed jpg from command line does not open it in my default image viewer, it instead runs the the executable that is spoofed as jpg.

Am I right?