Virus Profile: Exploit-MS04-028

Threat Search
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 9/14/2004
Date Added: 9/16/2004
Origin: Unknown
Length: varies
Type: Trojan
Subtype: Exploit
DAT Required: 4392
Removal Instructions


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Variable. This detection is for JPEG files intended to exploit a vulnerability. The symptoms of the buffer overflow will vary depending upon the remote code executed.

Methods of Infection

The vulnerability exists in many applications and operating systems where JPEG files are processed. A maliciously crafted JPEG could arrive at the system via several vectors (web, email etc).


Bloodhound.Exploit.13 (Symantec), Exploit-MS04-028.demo

Virus Characteristics

-- Update September 28, 2004 --
The 4395 DAT files no longer require that McAfee anti-virus products are configured to scan with program heuristics enabled to detect this threat.

-- Update September 22, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:,10801,96088,00.html

-- Update September 18, 2004 --
AVERT has received numerous JPEG files that are detected as Exploit-MS04-028.  These JPEG files do not appear to have been designed to be malicious, but instead coincidentally contain code similar to proof of exploit code circulating and do result in applications crashing in a similar fashion to those JPEGs built to demonstrate exploitation of the vulnerability.  The JPEG files in question are malformed, but do not contain any payload (code execution resulting from buffer overflow occurring).

-- Update September 17, 2004 --
The 4393 DATs were released due to high customer demand to provide a broader solution to cover this threat. The gateway/mail server dependency has been removed and all scanners that use the 4393 DAT files can enable detection.  The 4393 DAT files require that McAfee anti-virus products are configured to scan with program heuristics enabled and that all files are scanned (an alternative to scanning all files is to add .JP? to the extension list). However, AVERT strongly recommends that users scan all files rather than use the default extension list as this exploit is not restricted to files that use .JPG or .JPEG file extensions.

-- Update September 16, 2004 --
Due to the serious nature of the vulnerability targeted by this exploit, and the release of demo exploit code, the 4392 DAT file were released early to allow for detection of this threat when using McAfee gateway and/or email scanning products while scanning all files with program heuristics enabled.

This detection is for JPEG files intended to exploit the recently announced vulnerability described in Microsoft Security Bulletin MS04-028 .

For further details about the vulnerability, and links to the Microsoft patches, click on the following link:

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!