If a virus like W32.Nimda.enc can infect Thumbs.db files... And if data can be spliced into JPEG files... Then isn't it possible that an infected JPEG file could then infect a user's Thumbs.db file thereby infecting a user with WinXP who rely's on Explorer's "Thumbnails View" to preview pics he/she has downloaded off the internet?

Yes. :)

Ok, I just read thrashers post after submitting my own post and if Danny Larouche is right and viewers/browsers don't know how to deal with stenography then mabye it isn't possible.

Jen, Ok, I mean besides spoofing the file extention.

This has been debated for quite some time. As far as I know at the current time nobody can insert a virus into a true JPEG image but I have also heard that it can be done but I don't think anyone has really figured out a true way. Laters, KTTD

Just out of interest, see this news. http://biz.yahoo.com/prnews/020613/sfth046_1.html It talks about how virus code can be inserted into a graphics file, BUT, it can't spread without the use of an "extractor" prgram. This is also, a proof of concept virus. Now, to me this seems a little silly (but if someone can explain differently, I'd appreciate it). Someone has to download this virus to start with. Then, when you run it, it will place virus code in a JPG file that can't do anything without an extractor. So, in order to spread on someones machine, they would have to download the extractor!! So, my question is, why bother to attempt to infect a graphics file, when you still need an EXE to spread. Why not just build the virus code into the EXE and be done with it? This seems to be overly complex. Or, I'm missing something!

Why bother with code in a graphics file? To get around virus detection programs. Hidden inside a graphics file, a virus scan would not be able to detect it, unless of course it was always the same picture. By being able to hid in different pictures the "virus load" could pass though undetected. There would be no set pattern the scanner could look for. Once in the machine all it needs is a small extractor. A small extractor would be a very simple program that has none of the characteristics of a virus and look just like any normal code to a virus scanner. With such a short program of typical code, it would be difficult to find a section of unique code that would not also be identical to code in several different Windows programs. A virus writer could write his extractor just using common segments of Windows programs. Now it becomes difficult to detect as being a virus. The only way to detect such an extractor would be for the AV to scan for the whole program, not just a unique sequence within it. This is the concern of the AV people. Now they have a larger object to look for. With just a few hundred such virus, it would slow existing virus scan technology down to a crawl and everyone would be turning their AV off. Full scans of large systems would take hours. The only problem now is how to get the small extractor into your machine. Never open an extension or attachment you say. Sorry. With such a small program it now becomes practical for it to be generated by a HTML/JAVA script file and saved on your system. From there it is not a major technical challage to get it executed from a script file. Once the "virus load" is executed.