I keep hearing about IMG_0311205dtrap.rcs.png. Is this a valid concern for SL members?

[Meadow Copperfield]

I checked google as well, and found nothing, but the warning going around begins:  If ANYONE sends you an item called IMG_0311204drcs.png via skype or any other form of IM program deny it immediately. It's a worm that is designed to steal your SL information when you open the file.   Often times the 'warnings' turn out to be the actual spam/griefing, just sent to cause drama.  It supposedly infects your skype to propagate by sending itself to everyone on your contact list as "IMG_0311205dtrap.rcs.png".

[Madelaine McMasters]

Hi Meadow,

You may keep hearing about it, but Google has never heard of it, nor of even parts of that filename. That's a .PNG file, which is a data file. If you attempted to open it, your computer would treat it as an image and display it. If the file was not actually a PNG file, you'd probably get an error message.

The only way such a file could cause harm is if it was actually an executable file and you renamed it with a .exe extension and then launched it. But that's the sort of willfully self destructive behavior I would not expect from someone expressing concern.

I am curious about who's been saying this is a concern. If you wish, come back and edit your question (via "Options" over on the right) and tell us more.

 

[KarenMichelle Lane]

The message seems to be another uninformed social "Your World Will End" message being passed about SL in NC form. No need to worry. In reality. .png files are not executable even if an executable file's .exe extension  is renamed to .png to fool ya. Windows will not execute the file but will attempt to open it with the Viewer assigned to present .png images. That viewer will hate the file and send you a standard corrupted image file error message.

[Thomas Shikami]

That a file like that ending in rcs.png is a real concern. I received a file like that myself on skype earlier today. It looks like this in skype. It actually shows like it has a .png ending, but windows treats it as a screensaver.

The crux is, you will most probably receive that file from a well known friend.

http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/

[Lindal Kidd]

Unlike Madelaine or KarenMichelle, I would advise some caution.  Image files CAN contain a virus or malware payload, and can execute that file if you open them to view them.  This is one reason why your email client won't download and display pictures in an email, until you tell it that it is OK to do so.

That's not to say that THIS image file contains a virus...I don't know anything about that.

EDITED TO ADD:  I heard from another user in world who got this file via Skype.  He tells me that it is actually a screensaver in disguise, and that it does contain some sort of malware payload.

[Talia Malaspina]

If the file actually has the extension .png, no, Windows will not treat it as a screen saver.

 

It looks like the two things you need to do is make sure your Windows is NOT set so that it hides file extensions, and don't use Skype for file transfers, since it is apparently set to do the same.

 

 

[Korwyn Obscure]

Correct comments: this is a .png file, thus windows will try to open it in the default image viewer. It is true that some image files can contain a payload... .png don't have much room for a payload in the compression. 

 

incorrect: image payloads are not the reason why many email programs don't automatically load them. the issue there is images in emails in html mode can be loaded from the web, thus alerting the sender of the email that someone viewed their email, cause the image was downloaded. Thus they then would know your ip address. 

the message going around says that Avast detects it... Avast has NOTHING on their website about it.

 

But, basic internet security here.

Don't open attachments from anyone in skype unless they're sending you a file you're expecting, and you scan it before opening it.

 

 

 

 

 

[Madelaine McMasters]

Here's an update that explains how this exploit can actually do damage...

http://community.secondlife.com/t5/General-Discussion-Forum/Skype-and-Secondlife-related-virus/m-p/2278085#M134462

[LepreKhaun]

This is actually a Unicode exploit in that a non-printing character (specifically U+202E, the "RIGHT-TO-LEFT OVERRIDE", see http://www.fileformat.info/info/unicode/char/202E/index.htm) is making one think they are clicking "rcs.png" (which would be an image and cannot have a virus transmitted within it) but they are actually clicking "gnp.scr" (which is an executable screensaver). See http://www.pediy.com/kssd/pediy11/123162.html for how this exploit is used to deliver malicious payloads to the unwary.

 

Bottom line, be careful what one clicks on, even if you feel the source is trustworthy. Kind of like sex, one never knows who might be infected, eh.

[Zarphy Astro]

these people are wrong. it only contains the ILLUSION of being a png file. it is NOT a png, it IS an executable, it IS a virus, it WILL infect you, it WILL steal your SL account lindens, and payment information. i am a computer technician who specializes in repair and anti-malware. filename extension spoofing is not difficult. i have seen the file, as a friend who was infected by this brand new virus, attempted to send it to me. it is a faked png, with an executable icon.

 

i repeat. anyone who has 'checked out the file' and thinks its clean, that is because they only used an antivirus that has not picked up this newly-written virus. do not accept it, download it, run it, or underestimate it.

 

and the reason google doesnt pick it up is because every time the virus deploys its payload, it randomly generates a new filename: the alghorythm is: Snapshot(orIMG)_######CCCCC.png(.hidden exe) thats 6 randomly generated numbers, 4 or 5 letters, followed by .png, followed by its hidden executable extension.

[Tomos Halsey]

Ok let me straighten this out...YES it's a png image and YES it's an executable. They have embeded the exe inside the png just like those age old jpg exe embedding. What you do is stick the hex representation of the program in the png's header so when they open the file it executes the program to infect the machine. This is quite an old way of infecting people but this is a way that members of 4chan like to pass executables across the image board. 
http://www.cyberengineeringservices.com/malware-obfuscated-within-png-files-sample-2-2/