That's getting scary!

[Und3ertak3r]

W32.Perrun is a virus that infects JPEG files. The malicious content of files that it infects will not spread to other computers. Indications of infection are that .jpg files will have increased in size by approximately 11KB, and the presence of the file Extrk.exe.


Variants: W32.Perrun.dr
Type: Virus
Infection Length: 11,780 bytes
Systems Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

and

If a .jpg file that has been infected by W32.Perrun is opened on another, uninfected computer, it will not execute malicious actions on that computer because the virus requires the presence of the Extrk.exe file for it to execute and infect other files.

Upon execution of the viral executable, detected as W32.Perrun.dr, the virus does the following:

It drops the files:

Reg.mp3. This is a registry file that the virus uses to modify the registry.
Extrk.exe. This is the executable that will be configured in the registry to open all JPEG files.

Extrk.exe is then configured to open all JPEG files by changing the (Default) value of the registry key

HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command

to

extrk.exe %1

Check it here http://securityresponse.symantec.com...32.perrun.html

proof of concept?... yes.. jpg infection.. f*** no, you still need to extract the info from the JPG, so there for it is a two part virus. the extractor is the first part and the code in the jpg is the second.. the "infected" JPG on its own is useless.
So could the extractor be considered a bomb?

Cheers

[DeadCr0w]

proof of concept?... yes.. jpg infection.. f*** no, you still need to extract the info from the JPG, so there for it is a two part virus. the extractor is the first part and the code in the jpg is the second.. the "infected" JPG on its own is useless.

I got that ! that's not my point!



This is the scary part (from the article) :

In its current form, an infected JPG file sent to a friend or placed on a Web site isn't dangerous without the extractor file. But Gullotto said there's no reason a virus writer couldn't stuff the entire virus code into the JPG, making the picture file a virus itself.

Now what if the journalist didn't quote Gullotto wrong (head of the research departement at McAfee fot those who didn't see it)?

I find that hard to beleive too but what if

[Noia]

It uses camuflage technologie, in other word's....the .JPG is not dangerous, unless you have already been infected, which make's it useless.
My theorie:
The virus Set's a pipeline on the command line's, when a JPG if open's, It encode's the virii into it, using Camuflage Technologie....without this pipeline, and the Modulator, the virus is a good as dead.......and if Windows don't go doing something stupid like making a file exstention where script's can be imprinted upon, then we'r safe..... :P
------------------
That's my 2 cents
- Noio

[souleman]

Bleah, over 10 minutes formulating a reply and my connection crashes when I hit submit thread and loose everything. Anyway, this isn't nearly as nice as the last one, but I will try...

IE can run scripts, but to get the jpeg to do anything, there would have to be a script (activeX, javascript, VBscript, etc) to acually do anything to the file. Unless of course MS tries to patch something in IE, and causes the problem themself (which could happen).

Its a lot like the PDF virus a couple years back.. http://news.com.com/2100-1001-271267.html?legacy=cnet You had to have Acrobat (not Acrobat reader) to get infected. It exploited a "feature" in acrobat. There were rumors of this becomming wide spread, but never did.

Also, look at Vincent Gullotto. They don't want a virus tech as the VP/Director/Head/whatever of the AniVirus Emergency Responce Team. They want someone who knows how to manage people with Project Management skills. I would bet that most of his information is fed to him, and he really doesn't know much about what he is talking about. Nothing more then a PR guy. To prove my point.. http://www.osopinion.com/perl/story/14733.html

"Worms are designed to be out there as long as they can be,"
Network Associates' McAfee AVERT senior director
Vincent Gullotto told NewsFactor Network. "These [Magistr and Sircam] just kind of
move like worms are supposed to move -- a little bit here, a little bit there. The
ultimate success is how long they can stay out there."

What the hell is move like worms are supposed to move???? Sounds like a marketing ploy to me... and "a little bit here, a little bit there"???? Neither one of those two worms moved a little bit. They both took over as much as they could as fast as they could. That is why they became very high profile. They cause a lot of infections quickly.

Like I said, this reply isn't nearly as good as the one I wrote before. I hope the power company stops messing with my ISP....

[thesecretfire]

New features in windows 2003 (to be released december 2005):
With new and exciting accessibility features, every file will have the ability to execute code for extra rich content for the end user. Naturally, this code will have full permission to edit files so as to give the user the easiest and most enjoyable computing experience.

You laugh now, but...

[Terr]

Noia: Erm... what are you trying to say?

Deadcrow: If the McAffee guy WASN'T misquoted, then I'd say he is lying. Not an intentional lie, however, but a misunderstanding or a lie of someone else's.

[Simon Templer]

Wow, it's been a while since I've posted (months!!!)

Hello Everyone,

I noticed this thread, and I thought that maybe I could help by offering a programming perspective:

When I first read the Security Focus article on the virus, I was real curious and so I created my own JPEG Infector. I wrote a paper on the concept of JPEG infecting.

http://www.geocities.com/pharmicomlabs/jpg/

The paper has a sample program and source code for embedding messages and files into images without distorting them. (The process is really easy!!)

I'm sure you'll find it interesting! But to sum up a few things, and put a few minds at rest, here is what I concluded:

1. As someone has already mentioned, (As of right now) JPEG's CAN NOT act as executable files.

2. As someone else has already mentioned... This "new" form of file infection is just Steganography (An old technology)

3. The JPEG infector requires an extractor to run embedded code/files

I noticed there was a big dispute on this issue... the way it works is very simple:

An extractor program is installed/downloaded/whatever and registers itself as the default handler for images. (This is similiar to going to Folder Options > File Type in explorer.)

When an image is "opened" the extractor extracts the file/code, executes the file/code and then starts the real image program (paint, IE, photoshop, etc)

See how simple that works

In conclusion:

As someone was so gracious to mention... without the Extractor, the "infected" JPG is just an image with "junk" data added at the end.

Hope this helps put some minds at ease:

Simon Templer

[Terr]

Yes, LTNS! ("Wibbles.")

[Union Elite]

yeah..that's really scary...infact the internet is a scary place to be without knowledge of security and computers...i am going to set m e-mail to not accept images