return To index

Why Did I Write Perrun.NET?
---------------------------
alcopaul/brigada ocho
june 02, 2011


It has been almost 9 years since the media picked up on the virus that I wrote in Visual Basic 6.0. It was supposed to be
a joke virus. At first I wondered why McAfee decided to make a press release, stating that it was the first "JPEG virus", a proof
of concept. Of course, there were skeptics, saying that it was lame. But nevertheless, the mark has been made. The attention 
got into me and little by little I realized why it was a big thing. No one had the guts to go crazy and write a virus that 
tries to infect a picture file. Only I had the guts. It was like shooting darts in the sky, that time I happened to hit a 
flying bird.

Perrun was very simple. It was a combination of 2 executables - the virus and the extractor. The virus took care of file
search and jpeg infection. The file search was not that ominous. It only searched files in its current directory and appended
itself to a jpeg file that's not yet infected. The infection was not that complicated. It just appended itself to target. That's
it. It's basically "copy /b virus.exe+picture.jpg" but done in Visual Basic 6. The extractor facilitated the infection of 
other jpeg files whenever they were viewed. For this to happen, the virus modified the registry key,

HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command

to 

extrk.exe %1

The above means that whenever a user clicks a jpeg file, the extractor gets executed and takes the jpeg file as a parameter. 

The extractor checked if the jpeg file was infected. If infection was found, it "extracted" the virus and executed it, further carrying 
on the infection. After that, it displayed the picture using the appropriate viewer.

While it can spread infection in a system, carrying on the infection from a system to another was impossible by passing infected
pictures. The only way to do this was by executing the executable virus in a system. This was the reason why the skeptics
criticized the virus. And I recognized this as a very big stumbling block for the virus.

The sensation waned and died. But the news articles and forum posts were still there. 

Until almost 9 years later.

Perrun.NET Gets Conceptualized
------------------------------

So on May 27, while I was looking at an unfinished C# source code that appends gzipped version of itself to picture files, 
an idea popped in my mind. Since the source code can lead me to something like Perrun, I asked myself, "why don't I make a modern 
version of Perrun?". In an instant, I decided to do it.

First, I had to address the limitations of original Perrun.

1.) Infecting all jpegs in harddrive (check)
2.) Possibility to be executed by passing jpegs (check)

#1 is easily solved since I've been using in my source code a snippet that scans the whole hard drive for files with a certain
extension type. I just replaced the search string with "*.jpg".

#2 required some little thinking. I had to answer the question, "How can I get the picture to execute the embedded executable
inside it?". Of course there's no way that a picture can execute an executable appended to itself (unless with an aid of extractor
which will defeat the purpose since I was trying to have it executed in while in a jpeg). Then I remembered the old trick of
embedding an archive inside a jpeg file and viewing the contents of the archive using a compression tool. Alas, the light
was seen. Now there's a possibility that the executable be exposed inside a jpeg file. It's one step closer to execution!

But at first I was getting frustrated. My unfinished code involves creating gzip files (System.IO.Compression), which was
not serving me well. I tested appending a gzip file in jpeg files and opening it with winrar but it always give me a bad archive
format exception. Luckily, I learned that I can make a zip file using System.IO.Packaging, an archive which will do the thing.
And my little problem was solved. 

The next question to answer is that "How can a user be lured to viewing the executable file inside the picture file?". Since
this was using the .NET classes, there must be a way of embedding a message to the picture file instructing the user to
open it using a compression tool. I searched the net for it and my search wasn't futile.. (System.Drawing namespace is so cool).

So I made a preliminary virus that

1.) Searches for jpeg files
2.) Examine the jpeg file for infection
3.) Zips itself and appends the zip to the jpeg file
4.) Modifies the picture file to include a message that instructs the user to open the picture file in a compression tool

I tested it and I was satisfied with the results. The message was on the picture and when I open the infected jpeg in winrar,
the executable can be seen, waiting to be clicked..

Environment Problem
-------------------

The original Perrun's environment when I tested it was Windows Millenium so modifying the registry key,

HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command

to 

extrk.exe %1

will pass the jpeg file to extrk.exe as a parameter whenever the jpeg is clicked. In Windows XP SP23 (or maybe in greater version),
this was not the case. So I had a problem of carrying on the infection locally. I had to consult the internet but the internet
didn't help me. So I had to do this by myself.

After regmonning and examining registry changes when I change file associations by right clicking a file, left-clicking "Properties"
and "Opens With - Change", I found the right registry keys to modify.

1.) Set HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg value to "Application", "mspaint.exe" so
jpeg files will be opened by mspaint
2.) Modify HKEY_CLASSES_ROOT\Applications\mspaint.exe\shell\edit\command to "extrk.exe %1" so when mspaint application is called
by registry, it will execute the "extrk.exe" + the parameters instead.

So it's solved. The extractor now can examine a jpeg file and carry on infection whenever a jpeg file is clicked.

Virus done
----------

So after finishing the virus, I sent it to different AV companies for detection and writeups (so far no writeups maybe because
they became lazy through the years.), and uploaded an infected jpeg to a picture site (http://img101.herosh.com/2011/05/28/122924334.jpg). 

(Check Perrun.NET (MSIL.Perrun) in the Sources section)

After doing this, I was so satisfied that I felt like not coding anymore. But there were thoughts meandering. I thought that I 
could make this virus connect to the internet and upload infected jpegs to a few picture sites! Or maybe someone could write this
in a language without much dependencies. But I'm glad that I wrote it in C# since most of the important methods of the virus are made
possible by .NET classes.

The virus was tested in Windows XP SP3 with .NET Framework 4.0. The .NET Framework requirement is only 3.0 (for System.IO.Packaging class).

Conclusion
----------

So why did I write a modern version of Perrun? Just to address some issues and test the waters, hehehhe..