|
6/13/2002
Virus Notice: Network Associates' AVERT
Discovers First Virus That Can Infect JPEG Files, Assigns
Low-Profiled Risk
W32/Perrun - Proof of Concept Virus That
Infects and Replicates in .JPG Files
SANTA CLARA, Calif., June 13 /PRNewswire-FirstCall/ --
Network Associates, Inc. (NYSE: NET) AVERT (Anti-Virus
Emergency Response Team) today announced the discovery of
W32/Perrun, the world's first virus to infect files with
the extension .JPG. AVERT has assigned a LOW-PROFILED risk
assessment to W32/Perrun, which presents a limited threat
to consumers and corporations.
Symptoms
W32/Perrun, also known as Perrun, is the first reported
JPEG infector. It is an appending virus that requires an
extractor file to extract and execute the virus code from
infected JPEG files or files with a .JPG file extension.
The virus arrives in the form of an 11,780 byte PE
(portable executable) file, or .EXE. When Perrun is
executed, the 5,636 byte extractor component (EXTRK.EXE)
is dropped to the current directory and the following
system Registry key is modified:
HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1
Infected JPEG files are unable to replicate on machines
without the extractor component installed in the system
registry. Both files are written in Visual Basic 6, and
are packed with UPX.
Cure
Immediate information this virus can be found online at
the McAfee AVERT site at http://vil.nai.com/vil/content/v_99522.htm.
Users of McAfee Security products should update their
systems from that page and use the 4.0.70 or later
scanning engine to stop potential spreading of the virus.
McAfee Security customers running the 4185 DATs or greater
with program heuristics enabled detect both the virus and
its extractor component as the virus or variant
W32/Alcop@MM.
AVERT Labs (http://www.avertlabs.com)
is one of the top-ranked anti-virus research organizations
in the world, employing more than 90 researchers in
offices on five continents. AVERT protects customers by
providing cures that are developed through the combined
efforts of AVERT researchers and AVERT AutoImmune
technology, which applies advanced heuristics, generic
detection, and active DAT technology to generate cures for
previously undiscovered viruses. AVERT's virus risk
assessment program was the first early warning system
created by virus research experts, and was designed to
help network administrators assess the risk associated
with newly discovered virus outbreaks.
With headquarters in Santa Clara, Calif., Network
Associates, Inc. is a leading supplier of network security
and availability solutions. Network Associates is
comprised of three product groups: McAfee Security,
delivering world-class anti-virus and security products;
Sniffer Technologies, a leader in network availability and
system security; and Magic Solutions, a leader in
innovative service management solutions. For more
information, Network Associates can be reached at
972-308-9960 or on the Internet at http://www.networkassociates.com/.
NOTE: Network Associates, McAfee, Sniffer and Magic
Solutions are registered trademarks of Network Associates,
Inc. and/or its affiliates in the United States and/or
other countries. All other registered and unregistered
trademarks in this document are the sole property of their
respective owners.
|
| Virus
Name |
Risk
Assessment |
| W32/Perrun |
|
|
|
|
|
|
| Virus
Characteristics: |
|
This
appending virus is the first
reported JPEG infector. It is
multi-component in nature,
requiring an extractor file to
extract (and execute) the virus
body from infected JPEG files.
Infected
JPEGs are unable to replicate on
non-infected machines - ie.
machines without the extractor
component installed (hooked in the
Registry).
McAfee
products running the 4185 DATs (or
greater) with program heuristics
enabled, detect both the virus
body (11,780 byte PE) and its
extractor component as virus or
variant W32/Alcop@MM.
This
virus is a proof of concept and it
has not been seen in the wild.
The
author of this virus has released
a second variant that targets text
files with the filename extension
of .TXT
The method
of operation of this second .b
variant is almost identical to the
original W32/Perrun virus, with
only minor differences in the
filenames used.
Again, this
second variant is detected by
McAfee products running the 4185
DATs (or greater) with program
heuristics enabled, as virus or
variant W32/Alcop@MM.
|
|
Top of Page
| Symptoms |
- Modification
of a system Registry key as
described below
- increase
in the size of JPEG files
(+11,780 bytes)
- increase
in size of .TXT files (+11780
bytes)
|
|
Top of Page
| Method
Of Infection |
|
The virus
arrives in the form of a 11,780
byte PE file. When run on the
victim machine, the 5,636 byte
extractor component (EXTRK.EXE) is
dropped (to the current
directory). Both files are written
in Visual Basic 6, and packed with
UPX. The following Registry key is
modified in order that JPEG file
execution is hooked:
HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current
directory)\EXTRK.EXE %1
Subsequently,
when JPEG files are executed, the
extractor component checks if the
file is infected. If so, the virus
body is extracted and executed.
Only JPEGs in the current
directory are infected, and only
one file is infected per cycle.
The extractor then attempts to
display the JPEG using a system
DLL.
The .b
variant uses the filename
TEXTRK.EXE for the extractor
component and the registry key
modified is:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current
directory)\EXTRK.EXE %1
|
|
Top of Page
Top of Page
Top of Page
Top of Page |
|
Obtained from