, SecurityFocus 2002-06-14
Virus writer's paper suggests Perrun might not make history after all.
The
On Thursday Network Associates issued a press release
NAI and other virus researchers have not disclosed the name of the author of Perrun, which they classified as low-risk and not currently spreading in the wild.
According to Alcopaul's tutorial, "This routine will make all file types vulnerable to virus attack... the makings of a universal virus."
While Perrun is designed to insert code into JPEG files, the affected image files are not capable of replicating the virus. Instead, the virus requires an executable file, Extrk.exe, to append its malicious content to other files, according to a
According to Alcopaul's tutorial, "When Virus runs, it will search for another picture file, prepends itself if not infected, extracts Picture file and shows the image ... lame."
Most virus researchers agreed with Alcopaul's assessment of the infection technique, and say some early reports overstated the importance of Perrun.
"I think it's all pretty lame. It can't execute without the helper app," said Roger Thompson, malicious code analyst for ICSA Labs. The virus's primary payload consists of a change to the infected system's registry such that Extrk.exe is configured to open all JPEG files by default, he said.
According to Thompson, virus researchers named the code Perrun because it is designed to "infect" another JPEG file once per run.
Like Onel de Guzman, the creator of the Love Letter VBS worm, which infected millions of computers in May, 2000, the author of the white paper appears to be a resident of the Philippines.
According to his ICQ
Alcopaul is listed as a member of
