The Perrun virus gained attention last week for its ability to infect JPEG files, but antivirus experts hoping to clear up initial confusion said the virus is proof-of-concept code and is not carried by JPEGs.
Perrun drops an extractor program (extrk.exe) on a Windows computer it infects that executes malicious code tucked on the end of a JPEG downloaded from an unrelated source. Viral code from infected JPEG files won't run on systems if Perrun is not installed.
Perrun makes system registry changes so that all JPEG graphic files are examined by the extractor before being viewed. If malicious code is tucked in a JPEG file, then the extractor executes it.
Perrun was distributed to antivirus companies as a "proof of concept." In other words, it is not in the wild but the creator wanted to let the world know what it could do.
"Some submit proof-of-concept viruses as a heads-up to let us know that a hole exists in a situation," said Chris Wraight, technology consultant at Sophos. "Others do it to thumb their noses at us."
The public shouldn't be too concerned about the implications of the virus, Wraight said. Embedding a virus in a JPEG would render the picture unviewable.
The real Achilles' heel of the virus is the need for a separate extractor program to run the viral code from JPEGs, said Roger Thompson, technical director of malicious code research at TruSecure Corp. In other words, one would need to be hit twice (by the extractor virus and an infected JPEG).
The key to understanding Perrun is the difference between executable files and data files. JPEGs are data files and as such can't include code that executes itself like a program. Some "1s or 0s" can be added to the end of the file that Perrun can extract and execute, Thompson said. But the code can't execute on a system without the Perrun virus.
There are times when the line between data and executable files are blurred such as Word documents, Thompson said. In order to accommodate graphics and spreadsheets, the documents in essence can contain a bunch of little applications. So while a Word document appears to be a single file, it is in fact a complex web of files and applications, Thompson said.
A JPEG is by contrast has a simpler file structure. At this time, an executable program can't be embedded in it, Thompson said.
While Perrun is not in the wild, users shouldn't be too worried about protecting against it. They don't need to worry about scanning JPEGs for viruses, but should concentrate on protecting against executables. "Keep your antivirus up-to-date. In other words, they don't have to do anything different," Thompson said.