Jump to content

Exploit in jpg file. Possible?


Recommended Posts

Hi, I get this warning in which Nod32 finds an Exploit in the image files that are downloaded from the "Dynamic Theme" app, downloaded from the Microsoft Store. This app downloads daily Bing images and sets them as your desktop wallpaper, it does nothing else. Is this a false positive or should I worry?

 

image.png.15017eaa240819a61cb2d9fde03874ef.png

Link to comment
Share on other sites

  • Administrators

It's possible that image files contain an exploit. This particular detection is from 2013 so the file should be analyzed in order to tell if it's clean or not.

Please email the jpg file in an archive protected with the password "infected" to samples[at]eset.com.

Link to comment
Share on other sites

OK thanks. Does the archive have to be in .zip format? The email would be samples[at]eset.com right?

Link to comment
Share on other sites

  • Administrators
2 minutes ago, boromyr said:

OK thanks. Does the archive have to be in .zip format? The email would be samples[at]eset.com right?

Correct. It can be also rar if not zip.

Link to comment
Share on other sites

Done, I also inserted the xml file of the exported survey. The strange thing is that on virustotal or with the normal scan I don't get any detection, but only when wsearch accesses the file to index it. https://www.virustotal.com/gui/file-analysis/MjY5NWUxZjk1MDFkY2M0ODk5ZGY1MDg2YzZiZmYzMjA6MTY1MTgzOTE2MQ==

Link to comment
Share on other sites

  • Administrators

The file is detected neither by ESET nor by other AVs. Please provide ELC logs to compare hashes.

Link to comment
Share on other sites

  • Administrators

You can upload the logs here. Attachments are accessible only by the ESET staff and are deleted after some time. In this case we don't need the registry dump do standard logs with all quarantined will suffice.

Link to comment
Share on other sites

Can anyone else see or download them? I would prefer to send them to you by private message or by email.

Link to comment
Share on other sites

  • Administrators

I've installed Dynamic theme from MS store without anything being detected.

Link to comment
Share on other sites

You should have Windows indexing enabled and select the AppData \ Local folder among the paths to be indexed. Detection occurs when Windows search tries to access it. You should also have the wallpaper set for WinSpotlight and update.

Link to comment
Share on other sites

As far as MS04-028, it's an "ancient" exploit only affecting Win XP and 2003 and like "ancient" software associated with those OSes: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-028?redirectedfrom=MSDN .

Assuming your not running Win XP, I am really questioning Eset's detection here.

Link to comment
Share on other sites

Okay, I'm using Windows 11, so I could add it to the ignore list with confidence?

Link to comment
Share on other sites

  • Administrators

I'd suggest you choose to clean the detected file, then collect logs with ESET Log Collector and "Threat detection" template selected in the ELC menu and provide me with the generated file. After we've analyzed the file you could restore the file from quarantine if it turns out to be FP.

Link to comment
Share on other sites

Ok thanks, then I'll wait for the problem to recur, and create the log file immediately after the event.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...