JPEGScan is a small, fast and easy to handle scanner that has detection and repair capabilities for JPEG files infected with the MS04-028 exploit. Nick Debaggis discovered on September 14 2004 a buffer overrun vulnerability in gdplus.dll, a library used by many common applications for viewing JPEG images. MS04-028 is the tracking code assigned by Microsoft to this specific vulnerability that could be exploited to execute arbitrary code, permitting an attacker to gain control of a remote system simply by inviting the victim to look at a specially-crafted JPEG image. JPEGScan will detect all known variants of the exploit and accomplishes this not by string searching or anti-viral signature scanning but rather by properly walking through all blocks in the JPEG searching for the undersized boundaries in comment sections that indicates the presence of MS04-028 infection. Repairing renders the file harmless by readjusting under sized boundaries to their proper size and if the file was based on a real JPEG then it should become viewable.
JPEGScan permits for one-click integration into Explorer's context menu and you can easily right-click on any file, directory or drive and start scanning immediately for infected JPEG images. Users will find JPEGScan handy and network administrators will enjoy being able to sweep entire networks for infected images. For reasons of speed, optimization and accuracy, the main scan routines were written in assembly language, making the program basically as fast as it possibly can be. If the program used to view the JPEG file uses a vulnerable version of gdiplus.dll then a lot of software is affected. With JPEGScan you can simply delete the infected files rather than repair.
