McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This appending virus is the first reported JPEG infector. It is multi-component in nature, requiring an extractor file to extract (and execute) the virus body from infected JPEG files.

Infected JPEGs are unable to replicate on non-infected machines - ie. machines without the extractor component installed (hooked in the Registry).

McAfee products running the 4185 DATs (or greater) with program heuristics enabled, detect both the virus body (11,780 byte PE) and its extractor component as virus or variant W32/Alcop@MM.

This virus is a proof of concept and it has not been seen in the wild.

The author of this virus has released a second variant that targets text files with the filename extension of .TXT

The method of operation of this second .b variant is almost identical to the original W32/Perrun virus, with only minor differences in the filenames used.

Again, this second variant is detected by McAfee products running the 4185 DATs (or greater) with program heuristics enabled, as virus or variant W32/Alcop@MM.

Symptoms

• Modification of a system Registry key as described below
• increase in the size of JPEG files (+11,780 bytes)
• increase in size of .TXT files (+11780 bytes)

Method of Infection

The virus arrives in the form of a 11,780 byte PE file. When run on the victim machine, the 5,636 byte extractor component (EXTRK.EXE) is dropped (to the current directory). Both files are written in Visual Basic 6, and packed with UPX. The following Registry key is modified in order that JPEG file execution is hooked:

HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Subsequently, when JPEG files are executed, the extractor component checks if the file is infected. If so, the virus body is extracted and executed. Only JPEGs in the current directory are infected, and only one file is infected per cycle. The extractor then attempts to display the JPEG using a system DLL.

The .b variant uses the filename TEXTRK.EXE for the extractor component and the registry key modified is:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This appending virus is the first reported JPEG infector. It is multi-component in nature, requiring an extractor file to extract (and execute) the virus body from infected JPEG files.

Infected JPEGs are unable to replicate on non-infected machines - ie. machines without the extractor component installed (hooked in the Registry).

McAfee products running the 4185 DATs (or greater) with program heuristics enabled, detect both the virus body (11,780 byte PE) and its extractor component as virus or variant W32/Alcop@MM.

This virus is a proof of concept and it has not been seen in the wild.

The author of this virus has released a second variant that targets text files with the filename extension of .TXT

The method of operation of this second .b variant is almost identical to the original W32/Perrun virus, with only minor differences in the filenames used.

Again, this second variant is detected by McAfee products running the 4185 DATs (or greater) with program heuristics enabled, as virus or variant W32/Alcop@MM.

Symptoms

Symptoms -

• Modification of a system Registry key as described below
• increase in the size of JPEG files (+11,780 bytes)
• increase in size of .TXT files (+11780 bytes)

Method of Infection

Method of Infection -

The virus arrives in the form of a 11,780 byte PE file. When run on the victim machine, the 5,636 byte extractor component (EXTRK.EXE) is dropped (to the current directory). Both files are written in Visual Basic 6, and packed with UPX. The following Registry key is modified in order that JPEG file execution is hooked:

HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Subsequently, when JPEG files are executed, the extractor component checks if the file is infected. If so, the virus body is extracted and executed. Only JPEGs in the current directory are infected, and only one file is infected per cycle. The extractor then attempts to display the JPEG using a system DLL.

The .b variant uses the filename TEXTRK.EXE for the extractor component and the registry key modified is:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = (current directory)\EXTRK.EXE %1

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A