1) Prevent them from being executed by the web server. That's just a question of putting the files in a directory where you didn't allow execution of scripts. Limit the files you accept to those with a file name matching /\.(?:jpe?g|gif|png)$/i. Don't use the name provided by the user when saving the image; use a number or something.

2) Prevent them from being executed by the client. Enforce the extention as mentioned above. Try loading the upload in an image info package. (Perhaps ImageMagick or Image-Info?) If the package doesn't recognize the upload as an image, and if it's not a JPEG, GIF or PNG, reject the upload.

2) Prevent them from being executed by the client. Enforce the extention as mentioned above. Try loading the upload in an image info package. (Perhaps ImageMagick or Image-Info?) If the package doesn't recognize the upload as an image, and if it's not a JPEG, GIF or PNG, reject the upload.

I could be mistaken, but I think the OP's concerned about the JPEG of Death. I don't know enough about the hole to be certain, but I don't think that just checking headers is going to be enough.

--
F o x t r o t U n i f o r m
Found a typo in this node? /msg me
% man 3 strfry

That's a toughie. Convert JPGs to PNGs and back? If the conversion tool doesn't give an error, it will surely corrupt the virus. (Discard the file if the conversion tool gives an error.)

Is that really something that needs to be checked actively? Maybe it's sufficient to keep logs and act on reports reactively. It depends on the case, really.