Exploit in jpg file. Possible?

[boromyr 0]

Hi, I get this warning in which Nod32 finds an Exploit in the image files that are downloaded from the "Dynamic Theme" app, downloaded from the Microsoft Store. This app downloads daily Bing images and sets them as your desktop wallpaper, it does nothing else. Is this a false positive or should I worry?

 

[Marcos 5,074]

It's possible that image files contain an exploit. This particular detection is from 2013 so the file should be analyzed in order to tell if it's clean or not.

Please email the jpg file in an archive protected with the password "infected" to samples[at]eset.com.

[boromyr 0]

OK thanks. Does the archive have to be in .zip format? The email would be samples[at]eset.com right?

[Marcos 5,074]

2 minutes ago, boromyr said:

OK thanks. Does the archive have to be in .zip format? The email would be samples[at]eset.com right?

Correct. It can be also rar if not zip.

[boromyr 0]

Done, I also inserted the xml file of the exported survey. The strange thing is that on virustotal or with the normal scan I don't get any detection, but only when wsearch accesses the file to index it. https://www.virustotal.com/gui/file-analysis/MjY5NWUxZjk1MDFkY2M0ODk5ZGY1MDg2YzZiZmYzMjA6MTY1MTgzOTE2MQ==

[Marcos 5,074]

The file is detected neither by ESET nor by other AVs. Please provide ELC logs to compare hashes.

[boromyr 0]

I am creating the log file with ESET Log Collector with the profile "Threat detection, do I always have to email it to the previous address?

[Marcos 5,074]

You can upload the logs here. Attachments are accessible only by the ESET staff and are deleted after some time. In this case we don't need the registry dump do standard logs with all quarantined will suffice.

[boromyr 0]

Can anyone else see or download them? I would prefer to send them to you by private message or by email.

[Marcos 5,074]

I've installed Dynamic theme from MS store without anything being detected.

[boromyr 0]

You should have Windows indexing enabled and select the AppData \ Local folder among the paths to be indexed. Detection occurs when Windows search tries to access it. You should also have the wallpaper set for WinSpotlight and update.

[itman 1,659]

As far as MS04-028, it's an "ancient" exploit only affecting Win XP and 2003 and like "ancient" software associated with those OSes: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-028?redirectedfrom=MSDN .

Assuming your not running Win XP, I am really questioning Eset's detection here.

[boromyr 0]

Okay, I'm using Windows 11, so I could add it to the ignore list with confidence?

[Marcos 5,074]

I'd suggest you choose to clean the detected file, then collect logs with ESET Log Collector and "Threat detection" template selected in the ELC menu and provide me with the generated file. After we've analyzed the file you could restore the file from quarantine if it turns out to be FP.

[boromyr 0]

Ok thanks, then I'll wait for the problem to recur, and create the log file immediately after the event.