Dubbed the first "JPEG infector" by security company Network Associates, the W32/Perrun virus has two parts: infected JPEG images that contain the virus's payload and a viral program that extracts the code from the images and infects other JPEGs on the system as they are opened.
Allan Bell, senior marketing manager for Asia Pacific at Network Associates, confirmed that this particular virus posed very little actual threat, because it had been submitted to the vendor by the virus writer, rather than being released into the wild.
However, Bell warned that W32/Perrun presented a potential threat because of the possibility that other virus writers may copy the concept and then release it.
"The key thing to take away from this particular virus is that files previously felt to be safe now may potentially carry viruses," Bell said.
Bell said that W32/Perrun demonstrated a new way viruses could be distributed. "There's no reason why it needs to be limited to JPEGs-the technique could just as easily be used with movies or any other data files," he said. "It means from a security viewpoint people will need to scan attachments that they in the past may not have scanned."
Because PCs have to be infected by the extractor virus before any code hidden in image files can affect them, the program is more a computer-science curiosity than a threat, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.
"We are not saying that this is a problem," Gullotto said. "We gave it a low risk, but we haven't seen anything like this before." A digital image carrying code for W32/Perrun is easy to spot, he said, because the image is corrupted by the new code.
PC users should note that they can't be infected by opening a JPEG image. Rather, a virus on an infected computer copies code into a digital image and waits for the JPEG to get passed along to other infected systems. The virus on those systems will read the code fragment in the JPEG image and follow the instructions. Users who haven't been infected by the extractor virus can open an infected digital image and nothing will happen.
The extractor file only infects computers running Microsoft Windows and doesn't include a mass-mailing component. And, in fact, the virus has not been released on the Internet, but has been sent only to major antivirus companies by the creator of the code.
However, the code has opened up a debate among antivirus researchers as to whether viruses with multiple parts could represent a new threat to PC users.
With some rather simple improvements, the virus could pose a threat, Gullotto said.
One obvious modification, which has already been discussed among the virus community, is using steganography--a technique to hide data in pictures--to allow such programs to embed code in images without corrupting the picture.
An upgradable virus is not a new event in the virus world. Hybris, a worm that slowly infected a large number of computers on the Internet last year, could be upgraded with encrypted plug-ins that were posted to Usenet, security experts have said.
Researchers have long worried about the evolving technology in viruses, and the latest critter to climb out of the Internet shows that the arms race with virus writers hasn't slowed.
But for Gullotto, the real lesson is one of foresight.
"People should start becoming more leery of JPEG files," he said. "If there is a chance that we can get ahead of the virus curve in educating the users, we should."
