Perrun is a proof of concept virus that appends itself to JPEG files.
In order to run the viral part it modifies the JPEG handler program
in the registry and drops a special extractor to the system that
extracts and runs the malicious code. In practice it means that the
malicious part in a JPEG file will run only if the system is already
infected with the virus. A clean system can not get infected from
an "infected" JPEG file since that would need the virus to be active
on the system already.
Please note that Perrun can not be activated from infected JPEG
files on a clean system.
The virus modifies local files only. It has no ability to send itself
in e-mail or over local network. It has not been reported in the wild
yet.
Technical Details
Perrun was written in Visual Basic and it is compressed with
the UPX EXE compressor.
When the virus is started in it's EXE form it drops two files:
'extrk.exe' - the program that extracts the virus code from the
JPEG files
'reg.mp3' - registry file that adds the extractor program as
the handler for opening JPEG files
After this it looks for '*.jpg' files in the current directory
and appends itself to them. It does not tuch the file if it
has 'alco' as the four last bytes. This way it does not append
itself to a file twice.
Since from here the JPEG files are opened with the special
extractor the viral code can be started from the JPEG files.
The extractor extracts the virus code to 'x.exe' in the
current directory and runs it. After that the JPEG file itself
is opened with the original handler.
[Analysis: Gergely Erdelyi; F-Secure Corp.; June 14th, 2002]
