Help me identify the source [of a computer virus, maybe a jpeg]!?

[Uber_the_Goober]

Ok here’s a head scratcher - I’ll tell you the story first.

An employee at my company took a picture of a piece of equipment with his Galaxy Note smartphone. He sent that picture via text message to my boss’s phone, a Blackberry Bold (the newest one Verizon offers).

My boss saved that picture to his phone, and then sent it to his own email address, so he could view it on his computer, and zoom in on the part of the equipment that needed repairs. He opened the email by simply double clicking the attachment in Microsoft Outlook - so “windows picture viewer” being the default program, opened up the .jpeg file. He closed the image. Around this time, my boss said he started getting random advertisements pertaining to a variety of products, and every time he opened Internet Explorer, had a “Script Error” message. He just closed the window with the red X in the corner, and gave up browsing the internet after a few tries. No further issues. Didn’t notice anything out of the ordinary with that…and proceeded as though all was right with the world. (clearly it was not)

He forwarded that picture via email to me. I didn’t open the picture. I “previewed” it in Outlook, and then forwarded it onto my secretary to print out and attach to our job file. No ill effects for me.

My boss asks me to come take a look at his computer, and try to figure out what’s wrong with his browser…before you know it, we’ve got dozens of open Internet Explorer instances all with the same “Script Error” message.

My secretary opened the .jpeg the same way, double clicking the attachment and windows picture viewer opened it. She immediately got hundreds of Internet Explorer windows opening up, with a “Script Error” message each time. She unplugged the computer. Upon re-boot, she deleted the email, and didn’t have any other problems.

Our “computer guy” - he’s actually an industrial PLC programmer, but knows his way around operating systems - spent the better part of the day trying to restore normal operation to my boss’s PC. Ended up having to boot to a flash drive containing a Linux based “Comodo” something or other, and eventually used Norton Power Eraser to remove the virus. It was “Win32/Qakbot”.

He scanned my secretary’s computer also, but found no traces of anything malicious.

Where did this virus come from? Everybody wants to blame the original employee who took the picture - since opening the picture (on two different PC’s) initiated the virus attack. But that picture passed through my boss’s phone also - and his email box is the most cluttered mess I’ve ever seen. Spam a-plenty. Any ideas on whose phone or PC to throw into a fire?
Also, I’ve done a lot of reading on viruses being contained within a .jpeg - the consensus is that the .jpeg itself can’t be a virus, as it’s not a .exe, however a virus can somehow mask itself to appear as a legitimate .jpeg and even contain the information to allow you to view a .jpeg, which makes it impossible to detect without looking at a non-truncated (which outlook does all the time) file name. So I’m not saying the picture was a virus, but it certainly provided the vehicle for the virus to ride along on.

[Uber_the_Goober]

So, anyone have any ideas?

I don’t need help removing it - I just wanted to know if it was possible to isolate the source by following the progression of events.

Thanks in advance for any replies.

[DataX]

Do you have a gmail account?

Forward the picture (from the phone) in one email.
Forward the email you forwarded to the secretary in another email.

See if gmail flags it. Try and look at the raw code in gmail (something like view source) to see what the attachments really are.

Don’t click (obviously) on either.

[Really_Not_All_That_Bright]

Uber_the_Goober:

…a virus can somehow mask itself to appear as a legitimate .jpeg and even contain the information to allow you to view a .jpeg, which makes it impossible to detect without looking at a non-truncated (which outlook does all the time) file name.

If it was an .exe masquerading as a /jpg I’m pretty sure Outlook wouldn’t have been able to preview the image.

[aNewLeaf]

Guy that sent the original pic isn’t having problems. Boss is. That decides it for me.

[DataX]

aNewLeaf:

Guy that sent the original pic isn’t having problems. Boss is. That decides it for me.

Yeah - I’m not quite getting how the original guy is getting blamed for this

Perhaps it has something to do with other guy being the boss…

[Blakeyrat]

Uber_the_Goober:

So, anyone have any ideas?

I don’t need help removing it - I just wanted to know if it was possible to isolate the source by following the progression of events.

Thanks in advance for any replies.

Why do you think there is anything more at work here than coincidence? “Around the time” your boss viewed a image, he got a virus. That’s all we know.

I’m not even sure the script error you saw was related to the virus… that could easily happen if the boss and secretary both had the same web application open, and that web application screwed up.

EDIT: to answer your question, “where did the virus come from?” I’d say your boss is either running outdated software that has security holes, like an old version of Java or Flash, and was exploited. Or he goes to seedy sites after hours and caught it there. Obviously don’t propose the second one in front of him.

[Digital_is_the_new_Analog]

Speaking as a cell phone designer, I have a hard time imagining any mechanism that allows a phone to take a picture, send it via text (really MMS), or attach it to an e-mail, resulting in a virus. Unless one of the phones has a virus. And I’m not aware of any real viruses in the cell phone world.

I agree that coincidental timing is the most likely answer.

[Uber_the_Goober]

Digital_is_the_new_Analog:

Speaking as a cell phone designer, I have a hard time imagining any mechanism that allows a phone to take a picture, send it via text (really MMS), or attach it to an e-mail, resulting in a virus. Unless one of the phones has a virus. And I’m not aware of any real viruses in the cell phone world.

I agree that coincidental timing is the most likely answer.

Well the reason that particular email was focused in on - is because when it was forwarded to me, and then on to my secretary, she opened the attachment and got the virus. She killed the power to the computer before it took hold though.

I agree it’s likely that the boss’s computer may have been the source, but the fact that it didn’t “activate” until he opened that particular email, and viewed that particular image is what makes me think it’s got something to do with the porn-ridden smart phone that the original employee used to take the picture.

[Crazyhorse]

W32/Perrun-A is one possibility:

This virus, which likely has since had many new names and signatures over the years, is spread by normal jpg files. But to work it requires the user to have an already infected system. The infection changes the registry keys to associate jpg files with a hidden executable that the user somehow already wound up with on their system. Once infected, each time that user double-clicks a jpg file, the ‘virus.exe’ is launched, does its work in the background as it launches photo viewer to display the image to the user.

W32/Perrun-A is a Win 32 executable normally with the name proof.exe. When proof.exe is run it drops another executable, extrk.exe. It also modifies the registry such that when a user double clicks on an .JPG file it runs the extrk.exe instead of the originally associated picture viewer.

The registry entry modified is:

HKLM\Software\CLASSES\jpegfile\shell\open\command

When the user double clicks on a .JPG file, extrk.exe is run and attempts to download the following files:

sasearch/balloon.xs1
sasearch/lclsrh.xml
sasearch/lclAdv.xml
sasearch/lclprog.xml
sasearch/lclrfine.xml

from the following sites.

ie.search.msn.com
sa.windows.com
se.windows.com

It then launches the Windows Picture and Fax Viewer to display the picture. This is the default viewer under Windows XP.

It may be possible they had this virus and also had “Win32/Qakbot” at the same time by coincidence, or maybe there is some hybrid variant of the two.

“Win32/Qakbot” is itself a pretty serious trojan horse that would have been detected by any decent antivirus software written in the past 10 years. It sounds like the system was completely unprotected and any number of other things could have been infecting it at the same time.

[Digital_is_the_new_Analog]

Uber_the_Goober:

Well the reason that particular email was focused in on - is because when it was forwarded to me, and then on to my secretary, she opened the attachment and got the virus. She killed the power to the computer before it took hold though.

I agree it’s likely that the boss’s computer may have been the source, but the fact that it didn’t “activate” until he opened that particular email, and viewed that particular image is what makes me think it’s got something to do with the porn-ridden smart phone that the original employee used to take the picture.

It’s theoretically possible that the phone has a virus. It would have to somehow hook into the MMS stack or the file system to modify the picture. I’m not an Android internals guy, so I’m not sure how likely that is. I can tell you that in roughly 10 years of design work in smart phones, I don’t remember ever encountering a real virus for phones. Just rumors and anti-virus apps. But it is possible.
Um…do you have any spare computers lying around? You could do some experiments and try to figure it out.
ETA: I like Crazyhorse’s thoughts there. It makes sense of all the details we have.

[Colibri]

Title edited to indicate subject.

Colibri
General Questions Moderator