[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

email virus exploits hidden file extensions



PureBytes Links

Trading Reference Links

This is a long one, but worth your time....

- Mark Jurik

======================================================

----------- eMail Virus requires modification to Registry to avoid being a victim --------------


Dow Jones Newswire:  Major Companies Crippled By Computer Virus

(...)
      While users are well-warned about VisualBasic attachments, which
appear as ".vbs" extensions, the so-called "Stages" virus looks like a text
file, complete with ".txt" extension. But the real extension is ".shs,"
which stands for Windows Shell Scrap Object. A Scrap file can contain
anything, including executable and malicious code.

      The ".shs" extension does not appear even if a user sets Windows to
show all file extensions. Microsoft designed this extension to be
invisible, and it cannot be changed without entering the operating system's most
fragile configuration systems.

(...)
      "Stages" uses Microsoft Outlook or Outlook Express mail programs to
spread, but it can also infect through chat rooms or America Online's ICQ
instant messaging software.

      The e-mail message contains "funny," "life stages" or "jokes" in the
subject line. The text of the message reads "the male and female stages of
life," with an attachment, "life-stages.txt" or "life-stages.txt.shs." The
attachment contains a joke about advancing age.

      Anti-virus companies have issued software updates to catch the new
virus and are encouraging businesses to filter incoming mail and delete
attachments with the ".shs" suffix.

      (END) Dow Jones Newswires 06-20-00

==================================================================

LATEST WAVE OF WORMS USING HIDDEN FILE EXTENSIONS
RELEASE DATE: Friday May 26, 2000
SYSTEMS AFFECTED: Windows 95, 98, NT, 2000

DESCRIPTION
Microsoft Windows allows you to hide or show file extensions at will,
allowing the user to see "readme.txt", or just "readme". Most people, in
the
hope that they don't execute something they shouldn't, usually turn
extension-hiding OFF. However, even with extension-hiding turned off,
file-types can register themselves to FORCE the hiding of their extension.

This is certainly not a new vulnerability, but there doesn't seem to have
been (m)any reports on what should be considered a very dangerous problem.

THE PROBLEM
By default, several Windows file extensions are hidden. These include .PIF,
.SHS, .LNK, .DESKLINK, .URL, and .MAPIMAIL. If a file uses one of these
extensions, the user will be unable to tell exactly what the extension is.
(Although the "Type" tab in Explorer will reflect the change of filetype).

THE EXPLOIT
A worm can easily call itself readme.txt.pif and send itself around the
web. When a Windows user receives the file, when they go to open the file in
Explorer or anywhere else that uses the same file-list control, they will
only see "readme.txt". The TYPE of the file will be "Shortcut to MS-DOS
Program", as opposed to "Text Document" as a .txt file should be. This
however, is the only visible difference. When the user tries to run
readme.txt, instead of Notepad (the associated .txt program) loading the
readme.txt file as the user would expect, what happens is readme.txt.pif is
executed. PIF files act similar to BAT files, and can get away with
virtually anything in DOS, including deleting files, formatting, creating
files and so on. A worm is already propagating on the Internet now under
the filename off Movie.avi.pif. People receiving this file will see "Movie.avi"
if they look at the file in Explorer, and as .avi is regarded as "safe"
extension, most people will run this file without a second thought of their
own safety.

Going one step further, a PIF worm under the disguise of a .TXT file could
launch Notepad when it is executed, thus making it seem like the .txt file
trying to load. The infection occurs in the background, the user has their
.txt file on screen in Notepad, and they are none the wiser.

THE SOLUTION
Forced-hidden file extensions are made possible by a registry value
"NeverShowExt" (no data). To "unregister" the .PIF filetype from being
hidden, this value must simply be deleted from HKEY_CLASSES_ROOT\piffile

A registry search of the Data fields for "NeverShowExt" will reveal all
filetypes that have been registered invisible. These should all be deleted.