no, it's not in the graphics themselves, it's in the way they are linked to... people were typing in code that the ubb didn't recognize as code in the image tags and in their signatures. Stuff like using # 0153 (no spaces) to make the ubb think it's innocent text, but the browser interprets it as ™ . You can see something similar when you have a link that uses & amp; (no spaces) for the ampersand, which the browser interprets as &
Anyways, they used other code to hide their javascript/whatever to grab cookies with passwords/etc.