Aliases: W32/Perrun-A, PE_PERRUN.A, Win32.Perrun, W32/Perrun, Perrun, W32/Perrun.A
Variants: W32/Perrun.gen

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 13 Jun 2002
Damage: Low

Characteristics: Last June 13, 2002, a virus that appends itself to .jpeg or .txt files was discovered. This virus is called W32.Perrun. It is also known as W32/Perrun-A, PE_PERRUN.A, Win32.Perrun, W32/Perrun, Perrun and W32/Perrun.A. The operating systems that can be affected by this virus are Windows 2000, 3.x, 95, 98, Me, NT and XP.

More details about W32.Perrun

This virus adds itself to all .jpeg and .txt files. Although it will not spread to other computers, the virus causes the size of the infected .jpeg and .txt files to increase for about 11KB. Also, Extrk.exe or Textrk.exe will appear which could be another indication that the virus has installed in the computer system. If the file Shimgvw.dll from drive C does not exist, the original data will not be extracted from .jpeg files. If Notepad.exe does not exist too, the original data will not be extracted from .txt files. Furthermore, other computers will not be infected by this virus if Extrk.exe or Textrk.exe files are not present in that computer. This means that a computer will only be infected once the Extrk.exe or Textrk.exe files are present. They are the files that are responsible in executing and appending its malicious content to .jpeg and .txt files. When W32.Perrun.dr is executed, the viral executable, the virus drops Reg.mp3 and Extrk.exe or Textrk.exe. The Reg.mp3 is a registry file uses by the virus to modify the system registry, while the Extrk.exe or Textrk.exe is the executable file that will be configured in the system registry to open all JPEG or TXT files. Extrk.exe is configured to open all JPEG files by modifying the value of the system registry key to extrk.exe %1. For TXT files, Textrk.exe is configured to open all TXT files by changing the default value of the system registry key to textrk.exe %1.

The W32.Perrun program is installed on a user’s computer stealthily. It may enter a computer through program errors and system vulnerabilities. The program creates some registry entries to ensure its start-up. Start-up occurs each time the system is opened or when the user chooses to reboot the computer. The processes that are related to this Trojan program may be hidden on the computer. This is because it has rootkit functions that are capable of hiding the processes. The W32.Perrun application connects to remote servers to download illicit files and programs on the computer. Some of these files may include adware and spyware programs, BHOs (Browser Helper Objects), worm programs, and other viruses. They are installed stealthily on the user’s machine.