Subscribe0 0
Perrun is a non-dangerous non-memory resident parasitic Win32 virus. It is a Windows PE EXE file about 12KB in length (when compressed by UPX, the decompressed size is about 18KB), and written in Visual Basic.
The main virus feature is its ability to affect JPEG image files (compressed graphic images) and spread via affected JPEG files.
When the virus runs it searches for all *.JPG files in the current directory and appends its code to the end of the files (resulting in EXE virus code at the end of affected JPEG files).
The infected files receive a string called "alco" at the file end. By comparing this string the virus avoids creating double infections.
Perrun extracts from itself another EXE file - a virus component 5.6KB in lengtha and written in Visual Basic and compressed by UPX also. This component is saved to the "extrk.exe" file in the same directory from which the infected file is run. It is registered in the system registry in the "jpegfile" key:
HKCR\jpegfile\shell\open\command default = %CurrentDir%\extrk.exe %1
As a result the virus associates its component with JPEG files and when any JPEG file is opened the virus component is run.
The component being run reads the JPEG file body, looks for the EXE virus code at the end of JPEG files, saves this main code to the X.EXE file in the same directory and executes it. Thus the main virus code is run and an infected system's JPEG files are then able to spread the virus code.
------------ |JPEG file | EXE component (EXTRK.EXE) |----------| reads and executes --------------- Looks for |with virus| ------------------- |X.EXE - virus| other *.JPG files | main code| ------------------- | main code | and affects them ------------ ---------------
Then the virus tries to show JPEG images in the standard Windows way and opens them with the C:\WINDOWS\SYSTEM\SHIMGVW.DLL file (the "Shell Image View Control" library). In case Windows is installed in another directory or that file does not exist, the virus fails to display the affected JPEG image (and Windows displays a standard error message).
Note: the virus does not "infect" JPEG image files, but "affects" them. The virus code presented at the end of affected files is not activated on clean systems. The JPEG image files "affected" by the virus can be opened and viewed on clean machines without any risk. The only way to run the virus code from affected JPEG images is when the system is already infected (the EXTRK.EXE file is installed in the system).
Thus the virus affects, modifies, or alters JPG files but does not "infect" them. If that file is opened as a text file or in hexadecimal format there are virus code and text visible - but this does not mean the file is "infected" (if the word "virus" is written on a wall, this does not mean the wall is infected).
Hot Articles