More JPEG GDI+ Exploits

As could probably be expected, intruders have begun using AOL Instant Messenger (AIM) to exploit unsuspecting users with the JPEG GDI+ vulnerability.

As previously reported (see JPEG GDI+ Trojan Unleashed), intruders have unleashed a JPEG image file that systematically installs a Trojan on an affected user's computer. The image file was initially posted to several Usenet newsgroups.

In the exploit attempts against AIM users, intruders post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM users enticing them to view that profile. When someone views such a profile and the JPEG image loads the viewing user's computer is then infected.

Still other exploits have been discovered. According to Symantec two other Trojans, “Moo” and “Backdoor.Roxe” are spreading although neither appears to have spread to more than 50 computers at the time of this writing.

Since JPEG images are widely used and the nature of JPEG GDI+ vulnerability allows intruders to craft complex exploits other Trojans, worms, and viruses are sure to begin propagating sooner rather than later.

To guard against infected Administrators should ensure that systems are patched against the problems described in Microsoft bulletin MS04-028, and also be aware that older systems (which might not be indicated in Microsoft's bulletin) could be affected the problems. Tools are available to discover vulnerable DLLs and those DLLs should be replaced with updated versions.