CODE
JPEGScan
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)
Proudly sponsored by ...
PORT EXPLORER - Advanced socket analysis and monitoring
PROCESS GUARD - Extreme kernel-level process security
What is the MS04-028 JPEG exploit?
On September 14 2004, Nick DeBaggis discovered a buffer overrun vulnerability in gdiplus.dll - a library used by many common applications (including most Microsoft applications) for viewing JPEG images. Subsequent analysis by the eEye team confirmed that the vulnerability could be exploited to execute arbitrary code, allowing an attacker to gain control of a remote system simply by enticing the victim to look at a specially-crafted JPEG image. MS04-028 is the tracking code assigned by Microsoft to this specific vulnerability.
So infection can occur simply by looking at a JPEG?
If the program used to view the JPEG file uses a vulnerable version of gdiplus.dll then yes, and unfortunately a lot of software is affected. To scan for vulnerable versions of gdiplus.dll on your system please see these resources: Microsoft SANS
What is JPEGScan?
DiamondCS JPEGScan is a free, small, fast and easy-to-use scanner that has detection and repair capabilities for JPEG files infected with the MS04-028 exploit. It can detect all known variants of the exploit, and accomplishes this not by string searching or anti-viral signature scanning but rather by properly walking through all blocks in the JPEG searching for the undersized boundaries in comment sections that indicates the presence of MS04-028 infection. Repairing renders the file harmless by readjusting undersized boundaries to their proper size, and if the file was based on a real JPEG then it should also become viewable. If you simply want infected files deleted rather than repaired, JPEGScan can handle that also. JPEGScan also allows for one-click integration into Explorer's context menu, allowing you to easily right-click on any file, directory or drive and start scanning immediately for infected JPEG images. Although all users will find this tool useful, network administrators in particular will enjoy being able to sweep entire networks for infected images. For reasons of speed, optimization and accuracy, the main scan routines were written in assembly language, making JPEGScan basically as fast as it possibly can be.
A Free Detection & Repair Scanner for
Exploit.MS04-028 (GDIPlus JPEG Vulnerability)
Proudly sponsored by ...
PORT EXPLORER - Advanced socket analysis and monitoring
PROCESS GUARD - Extreme kernel-level process security
What is the MS04-028 JPEG exploit?
On September 14 2004, Nick DeBaggis discovered a buffer overrun vulnerability in gdiplus.dll - a library used by many common applications (including most Microsoft applications) for viewing JPEG images. Subsequent analysis by the eEye team confirmed that the vulnerability could be exploited to execute arbitrary code, allowing an attacker to gain control of a remote system simply by enticing the victim to look at a specially-crafted JPEG image. MS04-028 is the tracking code assigned by Microsoft to this specific vulnerability.
So infection can occur simply by looking at a JPEG?
If the program used to view the JPEG file uses a vulnerable version of gdiplus.dll then yes, and unfortunately a lot of software is affected. To scan for vulnerable versions of gdiplus.dll on your system please see these resources: Microsoft SANS
What is JPEGScan?
DiamondCS JPEGScan is a free, small, fast and easy-to-use scanner that has detection and repair capabilities for JPEG files infected with the MS04-028 exploit. It can detect all known variants of the exploit, and accomplishes this not by string searching or anti-viral signature scanning but rather by properly walking through all blocks in the JPEG searching for the undersized boundaries in comment sections that indicates the presence of MS04-028 infection. Repairing renders the file harmless by readjusting undersized boundaries to their proper size, and if the file was based on a real JPEG then it should also become viewable. If you simply want infected files deleted rather than repaired, JPEGScan can handle that also. JPEGScan also allows for one-click integration into Explorer's context menu, allowing you to easily right-click on any file, directory or drive and start scanning immediately for infected JPEG images. Although all users will find this tool useful, network administrators in particular will enjoy being able to sweep entire networks for infected images. For reasons of speed, optimization and accuracy, the main scan routines were written in assembly language, making JPEGScan basically as fast as it possibly can be.
http://www.diamondcs.com.au/jpegscan/
and the links
GUI
http://www.diamondcs.com.au/jpegscan/jpegscan-gui.zip
CONSOLE
http://www.diamondcs.com.au/jpegscan/jpegscan-cui.zip
