Virus Database

Win32.Perrun

Description Win32.Perrun

Perrun is a non-dangerous non-memory resident parasitic Win32 virus. It is a Windows PE EXE file about 12KB in length (when compressed by UPX, the decompressed size is about 18KB), and written in Visual Basic.
The main virus feature is its ability to affect JPEG image files (compressed graphic images) and spread via affected JPEG files.
When the virus runs it searches for all *.JPG files in the current directory and appends its code to the end of the files (resulting in EXE virus code at the end of affected JPEG files).
The infected files receive a string called "alco" at the file end. By comparing this string the virus avoids creating double infections.
Perrun extracts from itself another EXE file - a virus component 5.6KB in lengtha and written in Visual Basic and compressed by UPX also. This component is saved to the "extrk.exe" file in the same directory from which the infected file is run. It is registered in the system registry in the "jpegfile" key:
HKCRjpegfileshellopencommand default = %CurrentDir%extrk.exe %1
As a result the virus associates its component with JPEG files and when any JPEG file is opened the virus component is run.
The component being run reads the JPEG file body, looks for the EXE virus code at the end of JPEG files, saves this main code to the X.EXE file in the same directory and executes it. Thus the main virus code is run and an infected system's JPEG files are then able to spread the virus code.
------------ |JPEG file | EXE component (EXTRK.EXE) |----------| reads and executes --------------- Looks for |with virus| ---------------------> |X.EXE - virus| --> other *.JPG files | main code| ---------------------> | main code | --> and affects them ------------ ---------------
Then the virus tries to show JPEG images in the standard Windows way and opens them with the C:WINDOWSSYSTEMSHIMGVW.DLL file (the "Shell Image View Control" library). In case Windows is installed in another directory or that file does not exist, the virus fails to display the affected JPEG image (and Windows displays a standard error message).

Note: the virus does not "infect" JPEG image files, but "affects" them. The virus code presented at the end of affected files is not activated on clean systems. The JPEG image files "affected" by the virus can be opened and viewed on clean machines without any risk. The only way to run the virus code from affected JPEG images is when the system is already infected (the EXTRK.EXE file is installed in the system).
Thus the virus affects, modifies, or alters JPG files but does not "infect" them. If that file is opened as a text file or in hexadecimal format there are virus code and text visible - but this does not mean the file is "infected" (if the word "virus" is written on a wall, this does not mean the wall is infected).

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Subseven

Description Backdoor.Subseven

This is a remote administration utility used to control infected machines. It functions in a similar way to Backdoor.BO (a.k.a. Back Orifice) Trojan.

Backdoor.TheThing

Description Backdoor.TheThing

This text was written by Peter Szor, Data Fellows Ltd
This backdoor copies itself with the EXPIORE.EXE name to the Windows directory and with the name of RUNDLI.EXE to the Windowssystem directory. It then modifies the SYSTEM.INI "shell" section to execute the program each time when Windows starts up, or the registry run field.
When executed, it tries to connect to wnp.icq.com with a user id of 111138. This id is owned by a hacker now calling himself "Of Hacker Anarchy Warrior". TheThing sends a message to him, and in this way, the hacker can see that the program is used on the actual machine. Then the local program starts to listen, therefore, the hacker can start to communicate and get information from that particular machine.
To remove it, someone has to delete this file and the RUNDLI.EXE from the system directory and fix the SYSTEM.INI shell section to remove the executed EXPIORE.EXE from there/or from the RUN field of the registry.

Home