I know of several people, for example, that have been infected by a trojan in JPG files.
JPG's themselves are exploitable. But as far as I know there has never been any record of a virus 'in the wild' which can do this. Currently the only known virus with that capability is Perrun, which was created by AV developers as a 'proof of concept'. More likely the people you're referring to were infected elsewhere and the virus laid dormant for some time.
