This hack tool creates a JPEG file (detected as EXPL_JPGDOWN.A), which exploits a vulnerability in Windows XP.
For more information about the said vulnerability, visit the following Microsoft Web page:
Complete description and clean instructions for the Trojan (JPEG file) can be found in the following Web site:
Upon execution, this hack tool displays the following dialogue box:
The Trojan dropped by this hack tool attempts to download and execute files from a URL, which a malicious user inputs in the dialogue box.
The default URL in the dialogue box is http://www.y<BLOCKED>rsi.com/sr.exe.
This hack tool also drops the file MYPICTURE.JPG in the current folder.
After execution of this hack tool, the following message is displayed:
"The Jpeg Server, has been created with your settings in the current directory."
The following strings can be found in the malware body:
JPEG Downloader V1.0
With this downloader you can create downloader server with *.jpg
Based on Buffer Overrun in JPEG Processing (GDI+) Could Allow
Code Execution (833987)
Using Generic win32 http download shellcode
Bug analized by eEye Digital Security (http://www.eeye.com)
2004 ProGroup Software, Inc.
Coded By ATmaCA
It runs on Windows 95, 98, ME, NT, 2000, and XP.