6/13/2002

Virus Notice: Network Associates' AVERT Discovers First Virus That Can Infect JPEG Files, Assigns Low-Profiled Risk

W32/Perrun - Proof of Concept Virus That Infects and Replicates in .JPG Files

SANTA CLARA, Calif., June 13 /PRNewswire-FirstCall/ -- Network Associates, Inc. (NYSE: NET) AVERT (Anti-Virus Emergency Response Team) today announced the discovery of W32/Perrun, the world's first virus to infect files with the extension .JPG. AVERT has assigned a LOW-PROFILED risk assessment to W32/Perrun, which presents a limited threat to consumers and corporations.

Symptoms
W32/Perrun, also known as Perrun, is the first reported JPEG infector. It is an appending virus that requires an extractor file to extract and execute the virus code from infected JPEG files or files with a .JPG file extension. The virus arrives in the form of an 11,780 byte PE (portable executable) file, or .EXE. When Perrun is executed, the 5,636 byte extractor component (EXTRK.EXE) is dropped to the current directory and the following system Registry key is modified:

HKEY_CLASSES_ROOT\jpegfile\shell\open\command "(Default)" = (current directory)\EXTRK.EXE %1

Infected JPEG files are unable to replicate on machines without the extractor component installed in the system registry. Both files are written in Visual Basic 6, and are packed with UPX.

Cure
Immediate information this virus can be found online at the McAfee AVERT site at http://vil.nai.com/vil/content/v_99522.htm. Users of McAfee Security products should update their systems from that page and use the 4.0.70 or later scanning engine to stop potential spreading of the virus. McAfee Security customers running the 4185 DATs or greater with program heuristics enabled detect both the virus and its extractor component as the virus or variant W32/Alcop@MM.

AVERT Labs (http://www.avertlabs.com) is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. AVERT protects customers by providing cures that are developed through the combined efforts of AVERT researchers and AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and active DAT technology to generate cures for previously undiscovered viruses. AVERT's virus risk assessment program was the first early warning system created by virus research experts, and was designed to help network administrators assess the risk associated with newly discovered virus outbreaks.

With headquarters in Santa Clara, Calif., Network Associates, Inc. is a leading supplier of network security and availability solutions. Network Associates is comprised of three product groups: McAfee Security, delivering world-class anti-virus and security products; Sniffer Technologies, a leader in network availability and system security; and Magic Solutions, a leader in innovative service management solutions. For more information, Network Associates can be reached at 972-308-9960 or on the Internet at http://www.networkassociates.com/.

NOTE: Network Associates, McAfee, Sniffer and Magic Solutions are registered trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.



Cake Photo Caption
Virus Name Risk Assessment
W32/Perrun
Corporate User : Low-Profiled
Home User : Low-Profiled

 

Virus Information
Discovery Date: 06/13/2002
Origin: Unknown
Length: 11,780 bytes (UPXed)
5,636 bytes (extractor)
Type: Virus
SubType: Win32
Minimum DAT:
Release Date:
4208
06/19/2002
Minimum Engine: 4.1.50
Description Added: 06/13/2002
Description Modified: 06/19/2002 12:41 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend

 

Virus Characteristics:

This appending virus is the first reported JPEG infector. It is multi-component in nature, requiring an extractor file to extract (and execute) the virus body from infected JPEG files.

Infected JPEGs are unable to replicate on non-infected machines - ie. machines without the extractor component installed (hooked in the Registry).

McAfee products running the 4185 DATs (or greater) with program heuristics enabled, detect both the virus body (11,780 byte PE) and its extractor component as virus or variant W32/Alcop@MM.

This virus is a proof of concept and it has not been seen in the wild.

The author of this virus has released a second variant that targets text files with the filename extension of .TXT

The method of operation of this second .b variant is almost identical to the original W32/Perrun virus, with only minor differences in the filenames used.

 

Again, this second variant is detected by McAfee products running the 4185 DATs (or greater) with program heuristics enabled, as virus or variant W32/Alcop@MM.

 

Top of Page

 

Symptoms
  • Modification of a system Registry key as described below
  • increase in the size of JPEG files (+11,780 bytes)
  • increase in size of .TXT files (+11780 bytes)
Top of Page

 

Method Of Infection

The virus arrives in the form of a 11,780 byte PE file. When run on the victim machine, the 5,636 byte extractor component (EXTRK.EXE) is dropped (to the current directory). Both files are written in Visual Basic 6, and packed with UPX. The following Registry key is modified in order that JPEG file execution is hooked:

HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Subsequently, when JPEG files are executed, the extractor component checks if the file is infected. If so, the virus body is extracted and executed. Only JPEGs in the current directory are infected, and only one file is infected per cycle. The extractor then attempts to display the JPEG using a system DLL.

The .b variant uses the filename TEXTRK.EXE for the extractor component and the registry key modified is:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Top of Page

 

Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Top of Page

 

Variants
Name Type Sub Type Differences
Top of Page

 

Aliases
Name
Top of Page

 

 

Obtained from this page

 

  index index index map map map index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index index