Virus from camera?

[Guest]

Can you get a virus from importing photos from a digital camera?
We had a Trojan Pop up the other day when we imported some photos from a
concord digital camera.
Ever time we opened the windows photo gallery from that certain user, the
Trojan would come up and Macaffee could not quarentine it. I think I deleted
it when I deleted the Picture files? I have ran 2 scans since and it has not
showed up.

 

[Tom]

It could be a false positive. I bought and downloaded a program on the
internet and it stated that I might get a warning of a trojan and to ignore
it. It was a known problem.

 

[Guest]

That Very well could be. I tried to find the file that it gave as the
infested file and I could not locate it. I even ran three different
Anti-Virus programs and they did not locate it?..... Thanks for the
post......It could very well be that!

 

[Guest]

Was the trojan bloodhound.exploit.13? I think that's a false positive from
Symantec Anti Virus. Others have reported the same thing.

 

[Guest]

It could be a false positive. I bought and downloaded a program on the

internet and it stated that I might get a warning of a trojan and to ignore
it. It was a known problem.

An awful lot of trojans tell you in the readme that you may get a security
warning that you are about to install a trojan and that you should ignore
such a warning. Are you sure you didn't just pay for a trojan?

 

[Guest]

I have a digital camera and all I did was import some pictures I had taken.
When my daughter opened her Windows Photo Gallery, the Trojan warning from
Mcaffee popped up! It said it could not quarentine it would I like to remove
it. I deleted the Photos from her gallery and Now I can't find any kind of
Trojan warning or I could not find the file path the warning gave......Which
was "ExploitMS04-028"....Or something of that sort!

 

[Guest]

I have a digital camera and all I did was import some pictures I had taken.

When my daughter opened her Windows Photo Gallery, the Trojan warning from
Mcaffee popped up! It said it could not quarentine it would I like to remove
it. I deleted the Photos from her gallery and Now I can't find any kind of
Trojan warning or I could not find the file path the warning gave......Which
was "ExploitMS04-028"....Or something of that sort!

Did it say "ExploitMS04-028"? That's the same thing as the
bloodhound.exploit.13. It's a really old vuln.

I'm geting worried here though. Either both Symantec and McAfee use the same
detection logic and find the same false positive, or there really is a
problem. I have a hard time believing that though. That issue was hardly
exploited in the first place.

What kind of camera is it? I think you should place a support call to the AV
vendor and ask them.

 

[Guest]

The camera is a Concord Q, 3042F.
I ran the AVG AV, I also ran Mcaffee AV, and I downloaded the Mcaffee
Stinger, and Ran it, and now the Trojan can't be found!.....It was the
MS04-028, It said it was from 2004??? I can't find it anywhere now?

 

[Guest]

The camera is a Concord Q, 3042F.

I ran the AVG AV, I also ran Mcaffee AV, and I downloaded the Mcaffee
Stinger, and Ran it, and now the Trojan can't be found!.....It was the
MS04-028, It said it was from 2004??? I can't find it anywhere now?

Well, that's good. I suppose it could happen that the camera software itself
has malware, but I hold that for reasonably unlikely. It has happened in the
past though. Apple once spread a virus by including it with the iPod.

What bothers me about this is that two different AV manufacturers suddenly
start detecting the same, three year old, low-risk threat. This can't be
coincidence. Their detection mechanisms must use some property of the jpg
file that is being set by certain new cameras.

 

[Guest]

I may need to clarify a little! Mcaffee was the First and Only one to Detect
the trojan. Since I deleted the folder and have been running all the scans,
It has yet to rear it's ugly head. I hope it's gone!
Thank you for continued correspondence, It's nice to have someone interestd
in helping.

 

[Guest]

I may need to clarify a little! Mcaffee was the First and Only one to
Detect

the trojan. Since I deleted the folder and have been running all the scans,
It has yet to rear it's ugly head. I hope it's gone!
Thank you for continued correspondence, It's nice to have someone interestd
in helping.

No, I got that. It's just that someone else, on a different thread last
week, had the same exact experience using Symantec. That's what bothers me.

Let me know if it recurs. I'm really interested.

 

[vanilla]

Back in December, while I was still running XP Pro, a friend asked me to
help with getting her pictures from a Secure Digital card onto a CD. So, I
brought her SD card home, put it in the reader, and began the transfer.
While the thumbnails were drawing, I noticed that two of the files had
heavily pixelated thumbs ... there was sudden network activity ... then
those two files disappeared.

I thought about this for a long time. Steganographic phoning home to camera
manufacturer? Is that even possible? I won't mention the other really
paranoid thoughts ... anyway, you guys are not alone with weird photo
uploads.

.... vanilla ...

 

[Guest]

Well, the problem happened again today! I started to import some more

pictures to my computer, and as soon as I began to import the warning popped
up again........."MS04-028." So I immediately stopped the import and deleted
what had been downloaded, and ran the scans......'NO Viruses Found" SO.....

The Trojan is in the camera I suppose?

No. Judging from the other thread the Windows Photo Gallery does something
to the pictures when it downloads them which causes the AV programs to flag
them. I do not believe there is a trojan on your camera. I believe that the
AV programs are flagging false positives based on the fact that their
detection mechanism finds whatever Windows Photo Gallery is doing suspicious.

I am going to raise this to Microsoft and see if they can contact the AV
vendors. In the meantime, I encourage you to do the same.

 

[Guest]

Well, the problem happened again today! I started to import some more
pictures to my computer, and as soon as I began to import the warning popped
up again........."MS04-028." So I immediately stopped the import and deleted
what had been downloaded, and ran the scans......'NO Viruses Found" SO.....

The Trojan is in the camera I suppose?
Is there a way to scan the camera or remove the Trojan from the camera?
"Again...the camera is a "Concord Q eye 3042AF.

Any help or suggestions will be appreciated.

 

[cquirke (MVP Windows shell/user)]

On Tue, 27 Mar 2007 17:59:24 -0700, Jesper

Google( MS04-028 )

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Google( MS04-028 Camera Vista ) ...nothing immediately useful...

Several malware do infect removable storage devices, much as DOS-era
viruses infected diskettes (TMTC,TMTSTS). Cameras may be seen and
infected as such. Then when Windows "autoplays" the device, wham!

No. Judging from the other thread the Windows Photo Gallery does something
to the pictures when it downloads them which causes the AV programs to flag
them. I do not believe there is a trojan on your camera. I believe that the
AV programs are flagging false positives based on the fact that their
detection mechanism finds whatever Windows Photo Gallery is doing suspicious.

My guess; adding an ADS to the files as they are saved to the HD's
NTFS? If something pops up wanting to "tag" such files, then see
whether mileage varies if you say no or yes.

I am going to raise this to Microsoft and see if they can contact the AV
vendors. In the meantime, I encourage you to do the same.

I'd like to see what they say...

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...

 

[Guest]

My guess; adding an ADS to the files as they are saved to the HD's

NTFS? If something pops up wanting to "tag" such files, then see
whether mileage varies if you say no or yes.

Yep. It wouldn't surprise me at all if the AV programs look for an alternate
data stream, or an alternate data stream named with something specific. I
doubt they have particularly sophisticated detection for that issue. The
malware they are detecting was never widely used in the first place,
decreasing the likelihood that this is a real issue.

I'd like to see what they say...

So far, nothing. I was hoping they would raise it to their contacts at the
AV vendors, but I am not convinced they will.

 

[cquirke (MVP Windows shell/user)]

On Wed, 28 Mar 2007 07:04:01 -0700, Jesper

Yep. It wouldn't surprise me at all if the AV programs look for an alternate
data stream, or an alternate data stream named with something specific. I
doubt they have particularly sophisticated detection for that issue. The
malware they are detecting was never widely used in the first place,
decreasing the likelihood that this is a real issue.

I've seen a fair bit of ADS malware, and quire aggressive usage too
(e.g. ADS added to key files like System.ini), even though only a
minority of systems I deal with use NTFS at all.

The most severe case had about three different malware, with several
variations of each, banging away at hundreds of files via ADS attached
to them. AntiVir 6 coped best with these.

Add to that the COMPLETE absence of UI to manage ADS, and it is a very
significant malware risk. Also, as the ADS of a file is generally
seen as the same as the host file when viewed as a process (e.g.
Ctl+Alt+Del Task List), ADS may be relevant in traversing firewalls
that monitor outgoing traffic on a per-application basis.

Avoiding ADS is a good reason to avoid NTFS

-------------------- ----- ---- --- -- - - - -

Hmmm... what was the *other* idea?

 

[vanilla]

Sorry it happened again, BalRocket ... this might not be a virus ... maybe
it has something to do with EXIF info, or new kinds of metadata that is not
yet recognized as such by the AV vendors ... until we all find out what is
going on, I think you have the right idea about scanning the files before
importing. This will be fairly easy to do with memory cards but not sure how
to stop, scan and then restart with USB or firewire imports. As far as
scanning the camera itself, I have no idea how that might be done ... would
be surprised to find out it was possible.

vanilla