[ QUOTE ]
JanCPF said:
Empath,
Are you sure about that? Where did you read that?
[/ QUOTE ]
Symantec's page tells about it.
[ QUOTE ]
from Symantec
Technical Details
If a .jpg or .txt file that has been altered by W32.Perrun is opened on another, uninfected computer, it will not execute malicious actions on that computer because the virus requires the presence of the Extrk.exe or Textrk.exe file for it to execute and append its malicious content to other files.
Upon execution of the viral executable which is detected as W32.Perrun.dr, the virus does the following:
It drops the files:
* Reg.mp3. This is a registry file that the virus uses to modify the registry.
* Extrk.exe or Textrk.exe. This is the executable that will be configured in the registry to open all JPEG or TXT files.
[/ QUOTE ]
The situation with a jpeg is that a jpeg doesn't execute. It's only loaded into a buffer area and then interpreted by the GDI or some graphics rendering application. If you can force the process into an error situation, then recovery by your system will do what it's suppose to do. By loading a virus executable sytem beforehand, you can alter how the system recovers, and instead of doing what it would ordinarily do, it runs the virus file.
Actually, even with the Microsoft patch to insure checking the buffer for an overflow, you're not assurred of anything. As long as an error can be introduced, and a system has a preloaded virus executable, then it can do anything the writer designed it to do. The buffer overflow works out so well for virus writers because the instruction routine can be written into it.
