Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

March 27th, 2014

Pretty women. Which one will infect you?


Malware which opens pictures of attractive women to entice its victims has been around for some time. Last month there were more than usual, so I decided to research malware that pretends to be a regular picture, and the results are pretty interesting.

We looked for executable samples with two distinct characteristics: 1. .jpg in their name, and 2. no older than the last three months. About 6,000 unique files which matched this criteria were found. From these samples, we noticed that pretending to be an image is not a family specific criteria but we identified that Win32:Zbot is represented more than other malware e.g. MSIL:Bladabindi-EV, Win32:Banker-JXB,BV:Bicololo-CY, etc.

The important message is that most of these samples are distributed by scams which are sent by email or posted on social media sites. An example of an email scam is pictures below. If you are interested in what the social media scam looks like and how to protect yourself, you should read one of our previous blog posts.


Picture openers

As I wrote in the introduction, the main motivation is malware that actually opens a picture. This is a smaller group -  about 10% of the whole search. In the sample group, we discovered that the malware  doesn’t open only pictures of women – surprisingly, pictures of men were used too, but images of women are leading over men at a ratio of 14:3. We spotted non-sexual images, but they are not very common.

The interesting thing is the source of image. Using an appropriate search engine, we were able to identify some of them. Their origin were social media profiles (Facebook, Instagram) and personal blogs. That actually confirms that publicly accessible images can be very easily abused.

Technical details

Most of the samples are obfuscated MSILs with file size between 200-1024kB. When the user executes that file, a picture is shown in their default picture viewer and malware is dropped and executed in the background. One interesting example works in teh following way:

It unpacks a downloader from the resource image using XOR with a hardcoded 11byte key and then executes the unpacked MSIL assembly.

From bitmap to executable

Read more about malware dropped from a bitmap picture here.

The configuration static fields found in the unpacked assembly suggest usage of a generic dropper. We discovered that it is a part of  KazyCrypter. This one is all in one dropper and downloaded. At first, data are unpacked from gzip resource, which in this case is an image of a woman that is dropped and ‘executed’ which leads in opening the default picture viewer. Then the payload(s) is downloaded and executed from link(s) specified in DownLocations array and saved to location(s) in DownNames array.

dropper config

Some SHA256



Malware distribution through scams is fairly common. Don’t be fooled, use your brain! Protect your privacy and don’t publish your pictures unless you really have a good reason to. Who knows if your images or those of your family members will be abused in malware which can infect you and others.


The author would like to thank to Peter Kalnai and Jaromir Horejsi for their help and consultations related to the topic.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.