First JPEG Virus Identified
McAfee studies lab virus that could change the way digital infections spread--and are contained.
Sam Costello, IDG News Service
Thursday, June 13, 2002
A new virus can--for the first time--infect image files, says an antivirus vendor. This means the virus could spread through Web site graphics and force antivirus companies to re-engineer their products, McAfee officials say.
The virus is not yet in the wild, meaning it is not spreading on the Internet; it was sent by its author to antivirus vendor McAfee Security, a division of Network Associates. McAfee calls the virus W32/Perrun, says Vincent Gullotto, senior director for the McAfee Anti-Virus Emergency Response Team, which received the virus Thursday morning.
The virus is built to spread first as an executable, or .exe, file and then in JPEG image files, Gullotto says. Were it to spread in the wild, W32/Perrun would appear as an executable that would infect JPEGs when it was run, he says. The executable can be transmitted in standard ways, such as by download and via e-mail. The first JPEG viewed after the executable is run will have the virus code appended to it, Gullotto says. The virus will then seek out other JPEG files in the same directory and try to infect them, he says.
W32/Perrun is the first virus to infect JPEGs, according to McAfee.
Only machines that already have the executable file on them could be infected, because of the way the virus is written, Gullotto says. It's possible, though, that future derivatives of this virus could do away with the executable as a prerequisite for infection, he adds.
Because JPEGs are a common image format on the Web, the virus poses a risk of infecting any user who views an infected file on a Web site, Gullotto says. Users would have to have the executable on their systems to become infected in this way, he notes.
The initial version of W32/Perrun that McAfee has examined does nothing more than try to infect other JPEG files, but future versions could be modified to include all manner of code. Gullotto cites potential infection through Trojan horses and other programs that could potentially leave PCs open to attackers. Future versions of the virus could also be modified to attack other file types, including text files, MP3s, and others, he says.
"This may begin to change the face of what files virus writers start to pay attention to," Gullotto says. "While these files have been safe, we may see a time in the future when these files are not safe."
Such a circumstance could also force antivirus companies to re-engineer their products, he says. Current antivirus software would experience serious performance degradation if it had to scan image files and others for viruses, he says. If this type of virus attack becomes more prevalent, antivirus software will have to be modified to handle it, he says.