Find Virus in an Image File

Based on the description at Virustotal you've linked to this is in reality not an image, but a real PE32 executable (normal windows executable). So only the file name extension was changed to hide the real purpose of the file.

PE32 will not be automatically executed when they have the .jpg extension like in this case. Also the image viewer which will be invoked with the file by default will not execute the code but instead exit or complain that this is not a valid image.

Thus this file would not work alone. But such files are typically used together with another file which will rename it to name.exe and execute it. This can be done by some batch file, with the help of the Windows Scripting Host ActiveX inside a website or mail or similar. This strategy is used to bypass antivirus and firewalls which might skip analyzing the "jpg" file because of the extension and will not find anything suspicious in the accompanying script (which only renames the file and executes it).

...if there is any way to decode/decompile the image data

Again, this is not an image but an executable so the tool of choice could be some disassembler, debugger, sandboxed execution etc. See also the analysis from Virustotal.

Re. question 1:

This does not look like a JPG at all. It has the magic "MZ" characters at the beginning of the file that signifies "Windows Portable Executable File". Also your VirusTotal report points in that direction: simply an EXE file that does not actually have ".EXE" as the file name suffix.

In contrast a JPG file should have the following four non-ASCII-printable bytes at the very beginning of the file: ff d8 ff e0

So any image viewer that does even the most basic checking of its input file should detect this straight away and not even try to process any further. Therefore I don't think it's likely that you infected your computer by trying to open that file with an image viewer.

Re. Question 2:

See above. It's not an image file at all. And there is no simple instruction for executable reverse engineering. It's complicated stuff.

I suggest you just upload it to all the online anti virus scanners that you can find. Some of them run sandbox environments and will give a report on what the process tried to change. (You may have to rename the file to have the ".EXE" suffix before you do that. So be careful. Or better yet: rename and submit it from a Linux or Mac machine that can't even execute Windows EXEs by accident.)

Update 2016-11-21: Some scan results

• VirusTotal result
• MalWr result
• Mastiff result
• Hybrid-Analysis result
• MetaDefender

"So i want to know whether or not its possible a virus contained inside the image could still have been executed if the software did not 'fully' open the image?"

Given the other answers say that it is a PE executable, it's very unlikely that you've done anything harmful by opening it in an image editor/viewer. Image viewers generally look at the first few bytes of a file to determine its file type and then bail with an error if it doesn't match known signatures. The introduction of most file formats is what is known as a "magic number" - almost every file format has one. Magic numbers allow readers to perform a sanity check on the file data before attempting to process garbage.

If it were a legitimate image file, it is important to note that there have been buffer overflows over the years that exploited the way certain image parsers worked in various software libraries. A few exploits were discovered a few years ago for crafting a special image to exploit various library weaknesses in some of the most popular libraries out there that image editing and viewing software uses. Obviously, as holes are discovered, they are patched but it is up to each software vendor using the library to update their software and then every user of that software has to update the software. That process can take significant time to complete.

But in your case, no, it's probably just a badly named EXE and your machine is probably just fine. Which also likely means that everyone they spammed with that message received an equally malformed filename and the recipients also can't open it. Malware delivery fail. Score one for stupid.

My second question is if there is any way to decode/decompile the image data in order to better view its contents?

There are tools to dissect PE files (high level section breakdown). Looks like .NET might be involved in this case. I've not had to do any disassembling in a while. There are both free and commercial reverse-eningeering tools out there for .NET binaries. Obviously, if you pay money for a tool like that, it will generally be significantly better than the free tools.

That all said, if you think your machine has been compromised, disconnect it from all networks and probably turn it off until you can reinstall the OS. The last thing you want/need is Cryptowall and a bonus rootkit to get installed. Reinstalling an OS is the only option these days for a malware infestation. Most of the malware deployed via e-mail today are just small downloaders for going and getting more malware from the Internet. Once there is a small foothold, it is game over for the OS.

Finally, don't open strange attachments from weird people.