[Ham-Computers] Comment: Possible Virus and file extensions...

[Hsu, Aaron]

I'm a little late jumping into this thread, but I do have a couple of
comments about file extensions/associations.

What's the purpose of file associations?  It allows one to open a
document/file in Windows by just double-clicking it.  For example, if you
double-click on a .TXT file, Windows will use the program "associated" (aka
"registered") with .TXT files to open the file - in this case, the default
app is Notepad.  If you have Microsoft Excel installed, then the .XLS
extension is associated with Excel and if you double-click on an .XLS file,
it will open in Excel.  Associations also allow default actions and custom
icons.  Extensions are registered either by default when Windows is first
installed or are registered when applications are installed.  Once
registered, the extension(s) is "associated" with that application.
Examples of Windows "default" associations are .TXT, .WRI, .COM, .EXE, .BAT,
.WAV, etc.

By default, all versions of MS Windows since Win95 *hide* the 3 (or 4)
character extension if the extension is registered with Windows.  For
example, the file "FILE1.TXT" will just show up as "FILE1" without the
extension ".TXT".  "COMMAND.COM" just shows up as "COMMAND".  There's a
problem with this that many virii take advantage of - if the filename has
multiple dots/periods ("."), then only the characters after the last
dot/period in the filename is considered the extension.  This can get
confusing if the last characters are "associated" extensions.  For example,
If I save a file as "My baseball.bat", then the file will just display as
"My baseball", since the ".bat" extension is registered and associated as a
DOS batch file.  If I try to open it by double-clicking, it won't open as I
expect it to.

To work around this, most programs will automatically append it's registered
extension to your file when saved.  For example, if I save a document in MS
Word with the name "My baseball.bat", Word will automatically add the ".doc"
extension; therefore, the full filename is actually "My baseball.bat.doc".
And, since the .doc extension is registered, the file will show up as "My
baseball.bat" (without the hidden .doc extension), will have the proper
icon, and, will open in MS Word if I double-click it.

Here's where virii problem comes in.  Since the chars after the last
dot/period are hidden (if registered), then what if I intentionally add the
wrong extension to a file?  Let's use "My picture.jpg.exe" as an example.
Since .EXE is associated as a Windows executable program, the .EXE is hidden
and the file displays as just "My picture.jpg".  The filename looks
harmless, right?  That's where the exploit takes place.  You double-click on
it thinking it's a .JPG picture.  In reality, since it's a .EXE, Windows
launches it as a program.  But, nothing happened - nothing opened (maybe an
error occured) and I was returned to the Desktop.  Where's the harm in this?
What if this .EXE is a virus, or a worm, or spyware?  Ahhhh, that's how
these things propagate!  People unknowningly double-click these files
thinking they're something else (like a picture).  Instead, they're
launching a program masquerading as a harmless file.  Sneaky, eh?  In some
cases, they even show a picture just to make you think it really was a .jpg
file!

Worse, many Microsoft programs (all "Office" apps including Outlook) support
scripting (either Visual Basic, Word or Excel macros, etc).  All you have to
is open a file or e-mail with an autorun script and your system can be
compromised.  That .JPG of Anna Kour... you were trying to open?  Well, it
was actually a .VBS or .WSC script file (or even a .EXE) that just infected
your system with a virus and you didn't even know it.  Even HTML on Windows
systems is dangerous with all the security holes Windows has.

What to do...the best way to prevent these hidden extensions is to set
Windows to show all extensions.  In Win9x, open My Computer --> View -->
Folder Options --> View tab and *uncheck* the "hide file extensions for
known file types" checkbox.  Then click OK.  In Win2K/XP, the folder options
will be under "Tools" --> Folder options.

Also, virii writers have found a way to embed virii into .jpg pictures.  I'm
not too familiar with this process (yet), but the .jpg does display a
picture, but I believe if you rename it to a .COM/.EXE./.VBS (whatever), it
will execute the hidden code.  These rely on a second "master" program to
scan for and rename and trigger the .jpg.  Scary, huh?

So, Paul, it's possible that you had one of these latter type virii, esp
since most AV programs don't scan .JPG files.  Or, like others mentioned, it
may have been just a quirk in your system.  Another thing to look for is the
hidden extensions.  Luckily, it sounds like it was just a quirk (from a
Microsoft OS?  Say it ain't so!)  =)

73,

  - Aaron Hsu, NN6O 



--- StripMime Report -- processed MIME parts ---
multipart/mixed
  multipart/alternative
    text/plain (text body -- kept)
    text/html
The reason this message is shown is because the post was in HTML
or had an attachment.  Attachments are not allowed.  To learn how
to post in Plain-Text go to: http://www.expita.com/nomime.html  ---