I stumbled across a reference to a trojan jpeg on a website. If I went directly to the url in FF2 and FF3, the image displays correctly in my broswer with no warning (it's a 44kb pic of a stack of folded newspapers. A drop/drag desktop copy won't open in Preview. I use a PPC Mac, so if the "virus" worked correctly it would bounce me off to the site appended to the picture. The address in the jpeg is corrupt, apparently, if I try to go there directly, I get a 404.
The drop/drag saved pic came back "infected malware" from Jotti's online scan. A Google search of the embedded site said the file had somehow become corrupt or the virus writer didn't do it correctly. The drop/drag saved pic will still open in FF.
Why is the display behavior inconsistent? I have a copy of the jpeg with the iframe appended that WILL open in Preview. The copy has correct headers because I used the top menu in FF to "save as" instead of drop/drag. The drop/drag doesn't have the usual jfif or photoshop header. Both files are 44kb and both look the same.
A jpeg with an appended url shouldn't open in Preview or Firefox at all, assuming the repsective program writers did their job. A screen cap of the browser pic it removes the appended url and the size jumps to about double the original.
The appended url is plainly readable in HexEdit and TextEdit.