Well, it's not actually a picture but an obfuscated malicious VB script. That’s the story with W32/VBSAuto-F — yet another autorun worm that sets a number of self-starting registry entries, spreads via USB drives, and downloads further malware. The worm embeds code in a JPEG comment field of an ambiguously named file “image.jpg” or “imwin.jpg”.
Previewing such files as images remains innocuous, as picture viewers tend not to execute meta data by default. This is unfortunately not the case when the file is run through the VB script engine, which is happy to interpret the same JPEG comment 0xFFFE header bytes to indicate Little-Endian UTF-16 encoded data and execute the remaining portion of the file as code.
This post is excerpted from the Sophos article, When is a picture not worth 1000 words, by Mike Wood, March 31st, 2010.
For more information on embedded maliciousness, visit SophosLabs.
No comments:
Post a Comment