June 13, 2002: A rather bizarre attempt to prove that image files were capable of being infected resulted in a 'proof of concept' virus that infects JPEG files. However, this new virus, dubbed Perrun, can't be spread by simply sharing the infected image files. Instead, a special reader application (or pre-virus) is necessary to extract the viral code from the image. The result? A virus that requires a specific, initial infection to place the necessary viral extractor on the system. In other words, the user must somehow be infected twice - first by the 'reader', then by the infected JPEG file. At best, it can only be considered a very clumsy attempt to try and prove that infection via image files is possible. At worst, if a person were to somehow become infected by both necessary parts to this viral puzzle, the result would be that the 'malicious' code would be appended to other JPEG files residing on the local drive.
Considering that the virus cannot email itself, cannot spread beyond the local drive, and the infected JPEG's themselves are completely harmless without the add-on reader component, even the worst case scenario is rather benign. The question becomes whether the 'proof of concept' virus Perrun proves anything other than the desperate nature of certain virus writers who feel a need to prove something, anything, no matter how unfunctional/disfunctional that something really is.
The Perrun virus infection begins with an EXE file that, when opened, extracts two files to the system. The first file, EXTRK.EXE, is the component responsible for extracting the viral code from JPEG files. The second file, REG.MP3, modifies the system registry to add EXTRK.EXE as the handler for JPEG files. Thus, the default value for HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command is changed to 'extrk.exe %1'.
After this handler is in place, if an infected JPEG file is opened it will append the viral code to other JPEG files on the local hard drive. Without this special handler application in place, the infected JPEG files are completely impotent. The infected JPEG files can be shared harmlessly with other users, as only the hander component, EXTRK.EXE, can be used to extract the infection. This begs the question as to whether the virus actually resides in the JPEG, or if the real danger of infection lies with the handler application - which is a ho-hum executable and hardly a novel file type insofar as viruses are concerned.
"Some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves," said Chris Wraight, technology consultant at Sophos Americas. "Not only is this virus not in the wild, but also graphic files infected by this virus are completely and utterly harmless, unless they can find an already infected machine to assist them. It's like a cold only being capable of making people who already have runny noses feel ill."
Indeed, the most notable aspect of the Perrun virus may be the humorous twist proffered by the antivirus vendors themselves. By dubbing it the Perrun virus, they have aptly given it a moniker closely resembling that of a well-known hoax: Perrin.exe.
