Can a .GIF contain a virus?

T

tjwatkins

Can a .GIF contain a virus?

I was sent an email from someone I do not know. There was no text in
it, just two .GIF files. The message ID number (using arin.net) was
invalid. My email software does not view anything except plain text.
HTML is viewed as text too. I have to manually open attachments too.
Because of this, I was never exposed to any viruses or spyware.
I deleted the message and the gifs, so it's gone.

I used to feel safe opening pictures, but heard that some can now
contain a virus. Can a .GIF contain one?

Thanks

TJ
 
B

Beauregard T. Shagnasty

Can a .GIF contain a virus?
Maybe.

I was sent an email from someone I do not know. There was no text in
it, just two .GIF files.

Chances are it was one of those stock scams where the entire spam
message is in the image file, a picture of text. They do it to get
around text filters.
The message ID number (using arin.net) was invalid. My email software
does not view anything except plain text. HTML is viewed as text too.
I have to manually open attachments too. Because of this, I was
never exposed to any viruses or spyware. I deleted the message and
the gifs, so it's gone.

At least you are practicing Safe Hex, and are in good shape.
I used to feel safe opening pictures, but heard that some can now
contain a virus. Can a .GIF contain one?

I'll let someone else answer that.
 
A

Art

Can a .GIF contain a virus?

I was sent an email from someone I do not know. There was no text in
it, just two .GIF files. The message ID number (using arin.net) was
invalid. My email software does not view anything except plain text.
HTML is viewed as text too. I have to manually open attachments too.
Because of this, I was never exposed to any viruses or spyware.
I deleted the message and the gifs, so it's gone.

I used to feel safe opening pictures, but heard that some can now
contain a virus. Can a .GIF contain one?

Too bad you got rid of them. I would have liked to check them out.
See my web site for JPG-SCAN. This scanner detects one particular
series of JPG files containing embedded malicious code. The files
themselves are harmless enough and they can be viewed in a
image viewer. They cannot be Run since they aren't executeable, as
such. It requires companion malware to extract, decrypt and Run
the embedded malicious code.

To answer your question, yes, malicious code can be embedded
in or appended to any file. There's nothing new about that. Some
methods are far more sophisticated than others. In some cases,
the malicious code is "mixed in with" the image portion of the file
in a way that's not too noticeable to the human eye when the
image is viewed. Look up the word "steganography" if you're
interested in reading up on it.

Art
http://home.epix.net/~artnpeg
 
B

Bill ©

The files
themselves are harmless enough and they can be viewed in a
image viewer. They cannot be Run since they aren't executeable, as
such. It requires companion malware to extract, decrypt and Run
the embedded malicious code.


That makes sense. Thanks Art.
 
A

Art

Can a .GIF contain a virus?

I was sent an email from someone I do not know. There was no text in
it, just two .GIF files. The message ID number (using arin.net) was
invalid. My email software does not view anything except plain text.
HTML is viewed as text too. I have to manually open attachments too.
Because of this, I was never exposed to any viruses or spyware.
I deleted the message and the gifs, so it's gone.

I used to feel safe opening pictures, but heard that some can now
contain a virus. Can a .GIF contain one?

BTW, I failed to mention the usual newbie warning concerning so-called
hidden file extension tricks that are often used. One trick is to pad
the file name with spaces as:

sexypic.gif .exe

where the actual .exe file extension might well be missed in casual
observation. In such cases, the file isn't a image file at all, but
a executeable file.

Another trick is:

sexypic.gif.shs

where Windows hides the .shs (executeble scrap file) extension
and it looks like:

sexypic.gif

Anyway, it looks to me like you have some knowledge of "safe
hex" and you did precisely the right thing by deleting the
unsolicited email attackments :)

Art
http://home.epix.net/~artnpeg
 
D

Drax

BTW, I failed to mention the usual newbie warning concerning so-called
hidden file extension tricks that are often used. One trick is to pad
the file name with spaces as:

sexypic.gif .exe

where the actual .exe file extension might well be missed in casual
observation. In such cases, the file isn't a image file at all, but
a executeable file.

Another trick is:

sexypic.gif.shs

where Windows hides the .shs (executeble scrap file) extension
and it looks like:

sexypic.gif

Anyway, it looks to me like you have some knowledge of "safe
hex" and you did precisely the right thing by deleting the
unsolicited email attackments :)

Art
http://home.epix.net/~artnpeg

You don't need to put spaces then exe just change the extension from
exe to jpg. If someone Double Clicks on a file even a file with the
wrong extension it will still launch the program.

Never Double Click on anything you get in e-mail even if its not an
exe file it could still be a virus or a worm.
 
A

Art

You don't need to put spaces then exe just change the extension from
exe to jpg. If someone Double Clicks on a file even a file with the
wrong extension it will still launch the program.

In what operating system and under what conditions? Seems to me
I've heard of Win XP pulling strange stunts like that where it
examines the file type and will actually execute a file with, say,
a .jpg file extension that's actually a EXE or other executeable
file. But on other (saner) versions of Windows, it goes by file
extension and not file type.

Art
http://home.epix.net/~artnpeg
 
J

James Egan

You don't need to put spaces then exe just change the extension from
exe to jpg. If someone Double Clicks on a file even a file with the
wrong extension it will still launch the program.

It will only do that if the "wrong" extension isn't associated with
something else. For example, if Irfanview is associated with jpegs, a
word .doc renamed to .jpg will attempt (and fail) to open in Irfanview
whereas renaming it to .h1z will probably open it successfully in ms
word.


Jim.
 
T

tjwatkins

You don't need to put spaces then exe just change the extension from
exe to jpg. If someone Double Clicks on a file even a file with the
wrong extension it will still launch the program.

Never Double Click on anything you get in e-mail even if its not an
exe file it could still be a virus or a worm.

I dont understand this. If I open a file with .JPG extension, my
picture viewer software tries to open it, and gives me an error
message. I just tried it, using a safe .EXE file (notepad.exe).
I backed up notepad.exe, then renamed the backup file to notepad.jpg.
My photo viewer tried to open it, gave me a blank screen and an error
message that said "Invalid Format".

By the way, I am running Win98SE.

And, yes, I have received several files named something like
something.jpg .exe
I watch for that, and they immediately go to the trash.

TJ
 
T

tjwatkins

Too bad you got rid of them. I would have liked to check them out.
See my web site for JPG-SCAN. This scanner detects one particular
series of JPG files containing embedded malicious code. The files
themselves are harmless enough and they can be viewed in a
image viewer. They cannot be Run since they aren't executeable, as
such. It requires companion malware to extract, decrypt and Run
the embedded malicious code.

To answer your question, yes, malicious code can be embedded
in or appended to any file. There's nothing new about that. Some
methods are far more sophisticated than others. In some cases,
the malicious code is "mixed in with" the image portion of the file
in a way that's not too noticeable to the human eye when the
image is viewed. Look up the word "steganography" if you're
interested in reading up on it.

Art
http://home.epix.net/~artnpeg

Next time I'll save a file like that and send it to you.

I am looking at your web page and just downloaded the file.

I got a question. I thought about this right off the bat.
If I get a .JPG or .GIF that does contain malware, and edit it with a
graphic editor (I normally use an older version of Paint Shop Pro),
will the malware still exist in the file after I edit it? For
example, lets say I get a pic of a dog, and it has "red eye". So I
open the file with PSP, and darken the red in the eye, and save the
repaired picture. After I save it, will the malware remain, or did my
editing destroy it? To fix the red eye, I probably changed 10 pixels
at most. But what else did I change? Did I destroy the malware
(assuming it had some).

I'm asking, because if I get a suspicious picture, it's easy enough to
open it in my photo editor, and simply change one pixel along the
border, or in a cloud, or any inconspicuous place, and save the photo.
If the editing destroys any malware, that would be an easy way to
solve the problem. (if it works that way). I have played with enough
graphics that I know how to change any picture and no one will notice.

TJ
 
D

Drax

I dont understand this. If I open a file with .JPG extension, my
picture viewer software tries to open it, and gives me an error
message. I just tried it, using a safe .EXE file (notepad.exe).
I backed up notepad.exe, then renamed the backup file to notepad.jpg.
My photo viewer tried to open it, gave me a blank screen and an error
message that said "Invalid Format".

By the way, I am running Win98SE.

In Win 2000 and everything after that Windows using it own software to
run programs unless you change Windows setting.
 
A

Art

Next time I'll save a file like that and send it to you.

Thanks. My email addy is the README.TXT included in JPG-SCAN.ZIP.
I am looking at your web page and just downloaded the file.

I got a question. I thought about this right off the bat.
If I get a .JPG or .GIF that does contain malware, and edit it with a
graphic editor (I normally use an older version of Paint Shop Pro),
will the malware still exist in the file after I edit it? For
example, lets say I get a pic of a dog, and it has "red eye". So I
open the file with PSP, and darken the red in the eye, and save the
repaired picture. After I save it, will the malware remain, or did my
editing destroy it? To fix the red eye, I probably changed 10 pixels
at most. But what else did I change? Did I destroy the malware
(assuming it had some).

Clearly, you have in mind one of the more sophisticated steganographic
methods where the code is "mixed in with" the image. Altering the
brightness slightly has been suggested as a possible method of
neutering the malware in that case. But where are you going with
this? Toward a _practical_ and sure-fire method of batch processing
all image files to clean them? Lotsa luck proving it out for all
possible steganographic methods :)
I'm asking, because if I get a suspicious picture, it's easy enough to
open it in my photo editor, and simply change one pixel along the
border, or in a cloud, or any inconspicuous place, and save the photo.
If the editing destroys any malware, that would be an easy way to
solve the problem. (if it works that way). I have played with enough
graphics that I know how to change any picture and no one will notice.

As I implied, I'm not aware of any general sure-fire methods along
those lines that can be proven to work in all possible cases.

In the case of the type of image files JPG-SCAN is designed to detect,
the image itself is not "infested". The malicious code is simply
appended to the end of the file. Now, it so happens that if Irfanview
(a freeware image viewer) is used to simply Save the file, it strips
off the appendage, thus neutering the file. But from a practical
POV, it's far better to use my JPG-SCAN program instead of batch
processing all your image files through Irfanview. For one thing,
my scanner doesn't alter your legit JPG files in any way. Irfanview
does. If you choose 100% quality, the file sizes increase by a
large factor without increasing image quality.

So, the idea of using a converter (it's called) is one that's not
easy to follow up on in a practical or simple way. Much work
and theoretical proofs would have to be done. It would be a
enormous task.

Art
http://home.epix.net/~artnpeg
 
V

Virus Guy

The message ID number (using arin.net) was invalid.

Huh?

arin.net will tell you where a given IP address is located
(geographically). It has nothing to do with message ID numbers in
e-mail.
I deleted the message and the gifs, so it's gone.

For the past month or two, many stock P&D spam is being sent as a
single attached image file - no text at all in the message body.
Total message size ranges from 25k to 50k. That's what you probably
got.

They are sent as .GIF attachments (as opposed to JPG) because text is
better rendered as an image if it's converted to GIF format. Also
results in a smaller file size.
 
T

tjwatkins

In Win 2000 and everything after that Windows using it own software to
run programs unless you change Windows setting.

That is one of many reasons I do not care to upgrade. Win98 works
just fine for my needs, since I dont play games or need lots of power.
I like the idea that "I" am still in control of my computer. I have a
friend that uses XP and is always telling me that her computer does
things she did not authorize, then asks me if I can fix it. My answer
is NO. I wont even touch XP. If it was Win95, 98, or ME, not a
problem....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top