Image icon ctfmona.jpg99 KB


Just something I found at work on Monday. Have fun exploring, but don't be stupid. =)
Feel free to post your findings here.

what exactly is it?

Thats fucking aids..Lol

Now if I tell you, what would be the point of me asking to identify it? Needless to say, I hope you just didn't jump out there and run it on your Windows machine. If so, you should be slapped. =)

ok but im just sayin i know its a trojan of some sort but why post it? =/

Its not a trojan.

If we wanted to trojan you, wed make sure you opened it.

well i know you wouldnt trojan i get a prize for identifying the file?

Of course you get a prize. But we can't reveal the prize until you reveal what you know about the file.

is it a trojan?? ifso how is it in bedded on a picture

Just a wild guess.. a VB app that tries fucking with the Win32 kernel?

I just renamed the extension to .JPG so I could upload it here. EXE's are blocked.

clever thinking. so even with a different extention it still downloads to your system?? even if it doesnt say its downloading??

No. You will need to right click and do a save as. Then you can just rename the extension.

<<< still learning

Understood, but please don't just download this file and then execute it....unless you do that on a virtual machine that you can then wipe. Yes, the file is malicious in nature. The file was discovered on our network at work. I decided to put it here and see what people could determine about the file and so people could learn. Most AV's should detect it now, since I submitted it. When I first submitted, only 1 AV out of the 35 that it was checked against, detected it.
A little disappointed that no one has even messed with it. Bunch o noobs. =P

edit: and now i see its an executable... yay
If you renamed it from EMF to JPG its a version of the exploit for the Windows GDI API. Site says it uses a malformed EMF file but the GDI library is pretty large and I don't think the vuln would have to rely on EMF format alone to be exploited. Report says the error is "the way that GDI handles integer calculations", doesn't say the way it handles EMF integer calculations. GDI does straight rendering of image and text, no distinction of file formats. GDI is set so that "Windows-based applications do not access the graphics hardware directly. Instead, GDI interacts with device drivers on behalf of applications." Before it is calculating integers to render at ring 0 the GDI library receives the general info on how to render whatever image the calling application sends, meaning EMF file type could be completely irrelevant to how GDI calculates its integers since its only interests is to sync the application with your video driver and then send in the image and not that i know of to actually even bounds check what the image actually is from the time it goes from application layer to hardware layer. If im wrong im gonna hunt ya down s0kket, if not secfocus needs to take out EMF part and just say GDI.

At a quick glance it doesn't look like it’s actually going to do much harm. More annoying than anything else as it looks like it copies itself to the System32 dir then adds itself to startup. The program itself appears to just be a light weight thread known as a fiber which is just going to popup a warning message box with the message Malware Alert! with the options Yes/No. From here I think it will forward you to purchase some software to apparently remedy the infection.