New ICQ Worm, Win32\Stration

It comes as a URL from infected users and leads to a JPG file which, unless protected, runs something somehow and blows everything up.

I didn’t get infected, I never do, so I was hoping anybody here was infected and figured a way to clean your system.

Asking for my friends, btw.

The JPG file format allows for a hidden data stream. They call data held in these hidden streams metadata. It’s meant to be used by authors for their stuff & for cameras to store any picture data. Anyway, long story short… worms have been found in JPG hidden data streams. I’m not 100% sure how they are executed… But, I suspect it will be some sort of buffer overflow attempt on the client reading the JPG file (and the metadata) & a subsequent code-injection… if it succeeds.

The following URL is for a tool called JPEGScan & it scans for these hidden data streams.

If WinXP/2000 is up-to-date this problem has been patched i think.

cheers, rotty

MS patch for this was issued in December 2004. If your friends have been stung, it’s because they aren’t patched.

Ewen :slight_smile: