Author: Uzi Paz
E-Mail: for e-mail contact: user is uzi4wg and domain is uzipaz.com
First version date: 20 July 2000
Recent version date: 20 May 2002
Legal Notice: While as far as I know all the information here is exact and correct, as I'm giving this information as a free service, I'm taking no responsibility.
Parent Page: Uzi Paz home page on http://www.uzipaz.com .
Most of us know that we cannot get infected by viewing a simple text
file (with extension .txt)
or by viewing a JPEG or a GIF file (extensions .jpg or .gif).
Even if there is a code of a virus in a text file, by viewing it, the code will not be executed,
and thus cannot do any harm.
For this reason, files with filename extensions such as .txt, .jpg, .gif, and many others are safe for viewing, and there is no risk in viewing them.
While this is in practice correct, there are many complications due
to various tricks which viruses use in order to hide their real type
to cheat us to believe that they are in a format which is harmless
as JPG, GIF, etc.) This document discusses those various tricks, and
2. What's Between Filename Extensions and Security
Windows uses the extension of a file in order to choose how to open
it and with which program.
If the extension of the file is .txt, Windows is likely to open it with Notepad. If the extension is .doc, windows is likely to try to open it with MS-Word, etc.
The programs themselves usually open the file and deal with it, according to the body of the file.
If windows executes the file, or a program executes some instructions in the file, these instructions may or may not be harmful. A JPEG file includes only instructions on how to draw a picture, and the JPG viewing program that is launched to open it, is supposed to read the instructions in this file according to the rules related to this filetype, and follow them. Since there are no instructions in JPG besides instructions how to draw the picture, the viewing program will understand only those instructions and by that will not do any harm to the computer.
This is the reason why, for example .jpg files are safe.
3. Double Extensions, and Icons
Windows, and also programs such as older versions of Outlook and
Express, by default show filenames without their extensions. If a virus
or a worm sends itself as e-mail attachment, with the filename:
picture.jpg.vbs (just an example), your e-mail program in many cases (according to its setting) omit the extension (.vbs) and will show the file as picture.jpg .
It might mislead you to think that this file is a harmless JPG file, while in fact, opening it or doubleclicking it will cause it to run as a .vbs file (.vbs is an extension of a visual basic script which is executable code that may include harmful instructions). Such tricks are very popular and are used by many viruses to cloak their true nature. Most of the e-mail viruses and worms in years 2000-2001 used similar tricks.
Two comments can be said about this.
a) If your Windows is set to hide extensions, then any appearance of an extension in a file should cause you to suspect it.
But what about a file that does not have an extension. How do we know its exact type? By identifying its icon? We shall see in the next few lines.
b) In many cases although the filename's extension might look like something legitimate, the icon will not fit the apparent nature of the file.
While most viruses can be identified as such by not having the
icon, it should be pointed out that an executable file of type .exe
maybe some other types) may set its own icon to a one that it holds
This allows a virus to set a misleading icon. For example, it may set its icon to be the standard icon of a JPG file. An example of a virus that uses a similar trick is the Nimda virus.
Thus, we cannot fully trust icons to reveal the true nature of a
and we should look for a way to set windows to show us the file with
full extension. If we succeed to set it that way, we can see the true
of the file, and thus know how it will be opened.
4. How to Show Filename Extensions for Known File Types
Many people have found the way to do it. Microsoft allows us to set windows so that it will show the extension of files. This will affect also programs such as the relevant versions of Microsoft Outlook, and Outlook Express.
How to do it: enter "My Computer", and from the menu open
and choose "Folder Options". Unless you set specific folders
they will behave the way you set here. In the "Folder Options" window,
"View" and uncheck the "hide file extensions for known file types". Press "Apply" or "OK" and violla!!!
Suddenly you see "all" your files with their full filename extensions. This way you can immediately see what filetype has each of your files, and this will reveal its true nature.
When you almost say that the problem is solved, you may still notice two things. One is that I enclosed "all" with quotes, and the other is that you are still in the middle of this document. It certainly hints that this is not the end of the story.
Many people thought that by unchecking the "hide extension" it means
that all extensions will now be revealed. But when it comes to
nothing is so simple.
5. Extensions Which Are Set to Override "Show Filename Extension"
In the mid of year 2000, a running in the wild virus made a lot of
This virus is called the "LifeStages"
The full name of the virus file is Life_Stages.txt.shs
You may see the double extension which may suggest that it tries to
disguise itself as a plain text file.
The .shs extension is an extension of a Shell Scrap object. A file with this extension may execute harmful instructions, and thus might be a virus.
The surprising thing about this virus, was that its .shs extension was hidden even if you set your Windows not to hide extensions of known file types (the way we described above). It happens that .shs is not the only extension that is hidden even if you set your Windows to show all file types. Other filename extensions such as .shb, .mad, .mam, .pif, .url and a few others, were also hidden. For some of them you may see a small arrow in their icon which is typical to shortcuts, but not in all of them. Some of those extensions are related to specific office applications and if you did not install those applications, those file types will not be executed.
The Life_Stages virus was executed, and distributed very fast at that time.
The next question is likely to be: "Can we set Windows so that it will show us also those filename extensions such as .shs?"
Happily the answer is "yes". It is much less easy though than
it was with the other extensions.
It has to do with tweaking the registry files, but it is possible, and we shall explain how to do it shortly, but first, let us say a few words about the registry and tweaking it, to those who do not know what I'm talking about.
6. A few Words about the Registry (you may skip this if you have experience with regedit)
Windows uses basically two files to hold all its definitions and settings regarding software, hardware, user preferences, etc. Their names are user.dat, and system.dat (In some multiuser operating systems, the maintainer may define further optional "policy" registry files, but there is no need for us to enter this).
Those two files are hidden system files. The most common way to
the settings in them is by using a program called "regedit". We will
what changes should be made in them in order to set Windows to show
extensions such as .shs.
In order to open regedit, you may press "Start" and then under "Run" type "regedit" (without the quotes) and press "enter". This will open the registry editor called "regedit".
A few words of caution regarding the use of "regedit".
The registry files are huge files with a lot of information in them regarding everything from hardware settings to software settings and user preferences. The information held in those files is logically spread over branches, each of them is made of sub branches, and in the end, there are many keys. Each key includes various "value names" each of them holds some "value data" (value data might be empty).
For example, The key:
(branch: HKEY_LOCAL_MACHINE, sub-branch: Software, etc.)
includes various values, each of them has a name and data. The value with value name:
"ProductKey" will have as data, the authorization code of your Windows (i.e. the password that you used when you installed Windows).
Since the most crucial settings are held in the registry, also a
such as changing or deleting the wrong key or value, may cause Windows
to develop quirks, or even not to load at all.
It is thus recommended that before you make any changes to the registry by using regedit, read the help file very carefully, and especially read how to backup the registry, how to revert it to the backup in case you made some wrong change, and how to restore from backup when Windows is not loaded.
It is recommended, especially for people who are not experienced in registry tweaking, to always backup before making any changes. There is no confirmation prompt or pop up for changes that you make. Once you typed something, it is changed. Sometimes the change will apply immediately, and sometimes only after restarting Windows.
7. Removing the "NeverShowExt" Registry Entry
In our case, in regedit, we should use the "Find" option (ctrl-F)
Find again (F3) to search for registry values with names
For specific filename extension (see where this value name exists)
The value name "NeverShowExt" means that for this filename extension, Windows will not show the extension even if you set Windows to show all extensions, and a Value name "AlwaysShowExt" means that the extension will be shown even if you set windows to hide extensions of known file extensions.
You may thus scan for appearances of "NeverShowExt" and for those file types you wish to view their full filename extension, either delete the value name "NeverShowExt" or change it to "AlwaysShowExt".
After making those changes and getting out of Regedit, In order for this to apply you need to restart windows, and voilla. Also extensions such as .shs, .pif, etc., are now visible.
use the term "Registry key" only for the part which is in the left pane
in "regedit" while the name of the entry in the right pane is called
name" and the value of that entry is called "value data".
By using this terminology, I adopt the formal terminology that is used in "regedit".
This terminology however confuses some people, because many people use the term "registry key" for the combination of "registry key" + "value name", and use the term "value of that registry key" for the "value data".
7b. People who changed all appearances of "NeverShowExt" found that all shortcuts got an extension, usually ".lnk", and that without this extension the shortcuts are not identified as shortcuts. They usually find it rather annoying. I can make two comments regarding this.
The first comment is that people should be aware that extensions
as .lnk, and .pif should be treated as executable extensions, and that
viruses can hide inside files with these extensions, and be executed
you doubleclick such files.
The second comment should deserve a number of itself (comment 7c).
7c. For some of the
of "NeverShowExt" you may find another entry (value name) which is
"IsShortcut". This entry tells Windows to add a shortcut arrow to the
This icon can identify a file as an executable, saving us from the need
to remove the "NeverShowExt" from shortcut extensions. There is a way
set Windows that even if an "IsShortcut" entry exists for some
the shortcut signs will not appear. If however you see shortcut signs,
for those filetypes, then it means that you may use them also as
of filetypes that should be treated as potentially executable.
8. ClassIDs As Extensions
Is this the end of the story? No.... Not yet.
In March 2001 a new virus was found. The virus is called Postcard.
The virus is polymorphic (may change its forms) but one of its many names in which it appears, is:
Notice that the extension does not look like a typical extension. It
is a code enclosed with curly brackets.
What is written in such a structure (as an extension of a filename), is in fact a classid for some kind of object.
By having this classid, the filename tells windows what object it is.
It happens that when a file has its classid as an extension, Windows will not show its true extension regardless of any of the settings we've learned thus far. At the moment of writing this document, I still don't know how to tell Windows to show the extension of also this kind of files.
It will thus appear as a .tif file (a graphical format which is known to be harmless).
A harmless example of this trick can be found and tested in the site of Georgi Guninski.
The nature of the filename extension will still be visible when rightclicking the mouse when the file is marked, choosing "Properties", and looking at its MS-DOS name. The MS-DOS name will have the first three characters of the correct filename extension.
9. Right Truncations
Another trick which is used in various programs to hide the true
of the file, is to give the file a name such as:
Notice that many blanks separate between the true file type (vbs) and the faked one (jpg).
Some programs when showing a name of the file, they open a window of a finite size, and everything beyond that size is truncated. Older versions of ICQ, and newer versions of Microsoft Outlook, and of Outlook Express are vulnerable to this trick.
A file such as in the example above, will be seen as "picture.jpg" and will thus be assumed to be safe.
A virus named Shoho, uses this method to trick users to execute it.
10. Files that have the Wrong Extension
While Windows uses the extension to decide
which program to open each file, those programs themselves, in many
use the header of the file itself (the first few data in the file)
than the filename extension to identify its nature.
This might be used as a trick in the case of programs that open both filetypes that might contain executables and filetypes that cannot.
There is a known issue regarding this. MS-Word
files, may contain (executable) macros and embedded executable objects.
WordPad is a standard program by Microsoft that can open and read Word
Luckily, at the moment, unlike MS-Word, it does not handle internal macros, and it does not open automatically the embedded objects.
Wordpad is also the standard text editor for
.txt files that are too big for Notepad to open them.
If a file with an extension .txt is too big for Notepad to open it, the user will be prompted to open this .txt file with Wordpad. Now, let us assume that someone sends you a Word document that contains executable parts, but instead of giving it the extension .doc, he chooses to give it the extension .txt .
Windows will assume that it is a text file and will try to open it with Notepad. Notepad will identify that this .txt file is too big for it, and will refer you to open it with Wordpad. But wordpad when trying to open it, will identify it according to the internal header of that file, which says that this is a Word document, and will open it as a Word document. At the moment, there is no direct risk here, because Wordpad cannot handle internal macros, and because embedded executable objects will not run automatically by Wordpad. See, however, comment 10a below.
But there is a general moral here. If some
supports executable formats, all filename extensions that are set to
by it, should be treated as executable filetypes.
For example, if at any time Microsoft adds to its Windows Media Player the support of a new media file that allows the execution of commands that might be harmful. The implication will be that all file types that are set to be opened and viewed by Windows Media Player, would have to be treated as executables, so that if at the moment an MPEG (.mpg) file can be opened without risk, if in the future Media Player adds support for some other filetype with some other extension that allows executable commands, MPEG file would no longer be safe for opening, because if a file with the filetype of this new format, will be given the incorrect extension .mpg,
You might think that it is safe, but Windows Media Player will open it not as MPEG file but rather as the file that can execute harmful commands.
There is also an issue regarding Windows Media Player, which under some environments may allow any media file which is opened by Windows Media Player to execute some local files (depending on their extensions, but including some executable extensions) as long as the name and path of the file are given in that media file. The issue, has to do with the ability of .wmv files to refer to an Internet address (the accurate term should be URL rather than "Internet address"). This address can also be a location of a local file in the computer. In such a case, the wmv file can instruct Windows Media Player to execute a local executable file, as long as the location and name of the file are given in the .wmv file. As you should already know, the WMV file may have any extension as long as it is opened by Windows Media Player. There is a way to block an exploitation of this security hole, and it involves tweaking the registry keys. The instruction is relevant to Internet Explorer versions 4 and above. It has to do with disabling the "Download unsigned ActiveX controls", in the "My Computer" security zone.
We shall not give here full explanation, but
comment that this activity is done with the help of components from
Explorer. The needed tweaking is to use a registry editor, and in the
to change the value of the "1004" entry to contain a DWORD value of 3.
("HKCU" stands for HKEY_CURRENT_USER).
10a. Inside a Word file
an RTF file there might be executable files that will be executed if
In the case of a Shell Scrap object, it is possible to change its icon and its label, and worse, the label can be set to be empty and the icon can be set to be totally transparent. This means that if you doubleclick anywhere inside a file opened with Wordpad or with MS-Word, you should first check that this doubleclicking will not execute an unwanted executable, even if it doesn't look like that, and even if the file has a .txt extension and is opened in wordpad only because it is too big for Notepad. Before doubleclicking on an area inside those programs, you can rightclick on that area and choose to edit the object (it is sometimes called "edit package"). By doing this, you will see the details about the packaged object. There is also a claim that many antivirus programs fail to identify viruses when they are packed this way inside an Office document.
11. MIME Types
In e-mail and other applications a file or object can identify its nature either by its filename extensions, or by something which is called MIME type.
MIME originally was planned as an e-mail
to allow sending of non-text objects via e-mail.
For each object, a description of the type of the object is also defined in the MIME header.
What happens if an object has an extension which is related to one file type, and a MIME content type which defines it as having a different file type? Will it be interpreted according to its extension, or according to its MIME header? In Windows, the extension has priority over the MIME content type (although some exceptions were found, treated as security holes, and a patch to fix them has been released). This is safer, because it prevents us from being misleaded by an incorrect file name extension. We still have to be aware about cases where there is no extension or the extension is not known to Windows. A file with extension JEPG, might confuse us to believe it to be JPEG file, but its extension will not be known to Windows. If it will sent via e-mail with the MIME type of an executable it might be executed, when we open it believing it to be a harmless JPEG file. A situation where a file is identified in some stage by its MIME type and in another stage by its filename extension may lead to serious security holes. For example, some versions of Internet Explorer identified whether a file linked to a web page should be opened automatically or not, by its MIME type. Hence if the MIME type was of an audio file, then Internet Explorer might open the file automatically regardless of its filename extension. This was not a problem if the file was also opened according to its MIME type. Yet, once the file is opened, it is opened according to its filename extension. So by putting a file with a MIME type of an audio file (harmless format), but with a filename extension of an executable format, it is possible for an HTML file (e.g. web page) to cause Internet Explorer to automatically execute a file when opening the web page. This trick was used by the Nimda worm. Microsoft has already offered the patch to fix this security hole (see the link to the Nimda worm for further information).
12. Unregistered Extensions
It is very important to understand that rather than maintaining some
finite list of extensions (let us call it a black list of extensions)
are unsafe, i.e. file with those extensions might contain harmful code
that will be executed if you open the file, it is better to treat
extensions which are safe, as filename extrensions which are registered
in Windows to be opened by programs that will not execute harful code
there is such inside it (let us call it a white list of extensions).
The reason for making this point lies in the case of unregistered extensions. a filename without a registered extension (i.e. Windows does not associate its extension with a program that opens it or a way to open it), might still be opened according to the header of the file (the first few bytes in the body of the file).
You may try to take some office document and to change its extension to some extension which is not recognized by your program. You might be surprised that by doubleclicking it, it will still be opened by the appripriate office application.
13. Confusion between URLs and Filenames
Sometimes even if you know everything, it might be possible to trick
What does the following name tells you: www.myparty.yahoo.com ?
If you got the MyParty virus via e-mail from a friend, you might have seen such a "link" and doubleclicked it in order to enter that site.
Yet, this was not a link but rather an attached file with the name "www.myparty.yahoo.com". This name has, the extension ".com" which is an executable extension.
14. Buffer Overflow
Even if some filetype does not contain executable commands, and thus the program will not know to interpret parts of it as executable instructions and act upon them, programs might still have bugs (programming mistakes) that will cause problems if some situations arise. The most common situation is when the file has some structure (will usually be illegal according to the rules of building files with its filetype) that is not expected by the program that opens it, and that will cause the program that opens the file to crash or to behave in a manner which it shouldn't. For example, if a picture file provides coordinates for some viewable objects which are beyond the physical coordinates of the picture, it is in theory possible that the program will try to put the object outside the area of the picture. The right thing, is that the program has to first check that the coordinates are within the are of the picture, but if by mistake the program does not check it, it might be that it will put the data of this object in a location in memory where the picture does not exist. If this is the case, then it might be that the place where the program put the object is an area which is used by the program code itself, If this data is not really a drawable object (although it claimed to be so) but rather an executable code, the fact that it was put (because of the illegal coordinates) outside the region which belongs to data, and in a region which belongs to the program, might cause this code to be executed.
It is more likely that if an object has some
values (such as incorrect coordinates) it will either cause the program
to identify that something is wrong, or will mess up the program and
cause the program to crash. The developer of the data file must know
about the viewing program in order to identify how to make this code
its malicious contents. Besides, different versions of the viewing
may treat illegal code differently, and while such may cause all of
to crash, it may not cause them all to execute the commands that the
who designed that file wanted them to execute.
As a result, when it comes to files such as .mpg, .jpg, .txt, .gif, etc., this risk of executing arbitrary commands by letting the file to have some contents which will not be expected by the program that opens them, is not high. There is a bigger chance to cause that program to crash. Yet it would not surprise me if sometimes in the future some viruses will use such security holes.
15. Security Zones
We are used
to open HTML files when viewing web pages. We think that it is not
risky, but Microsoft walked on the edge when they decided that
depending on the source of the information, it will set different
authorizations for it ###
16. Zip Files As a Way to Bypass Security Measures.
One of the few filename extensions that will be opened without problems also in newer versions of Outlook Express, is the ZIP filename extension. This filename extension which generally serves for holding compressed files or archives of files. Let us put aside a few security holes that were found and fixed in some programs for opening ZIP files, a zip file by itself is not an executable file. Yet, it might contain in its archive, files which are executable. Due to the above mentioned protection measures that Microsoft has employed, virus authors moved to writing viruses that spread themselves as ZIP-compressed executable files. Now they only need to convince the user to open the ZIP file and execute the executable within. Lot's of "social engineering" tricks are used to convince the user to open those executables within the ZIP files, and people who are novice enough to try to open executable attachments directly, were also found to be likely to open them from within ZIP files.
But while virus authors started to write viruses that spread in ZIP
format, they realized that it is possible to trick organizational
antivirus programs using the features of the ZIP format.
We are speaking about the fact that ZIP files can be encrypted.
Viruses such as some variants of the Bagle virus, put the
infected executable, inside a password protected ZIP file, while giving
the password, in the body of the message. The disadvantage, is that it
might make it harder to convince users to open passworded zip file than
opening a non-passworded zip file. The advantage of it for virus
authors, is that organizational antivirus programs might have problems
in identifying how to open the passworded zip file in order to check
it. For the most common viruses, antivirus programs have found the way
to identify the viruses, but it definitly makes it harder for
them. Some organizations use antivirus programs only on the Internet
gateways, believing that if everything was found to be clean in the
gates, then everything is safe. This false assumption made those
companies more vulnerable to viruses that use such tricks.
save a file from the Internet, using practically any Internet
application that I have tested, it is saved in a manner that will make
the file visible for the typical user.
But not al files are visible to the typical user (the one who uses the default Windows settings). It is possible for a program to save a file and to set it as a hidden file, in such a case, under Windows' default settings, the file will not be shown. The good news is that it also means that you cannot open it by simply doubleclicking on its icon.
It can still be opened (executed) by other means, such as by other programs, or by running it from the Start/Run menu. saving them by the aid of another program is one way. Many atchive formats such as ZIP hold for each of the archived files whether it should be set as a hidden or as a system file. Under some configuration of decompression programs, these attributes are respected. This means that when you open or extract archive files (such as ZIP files) it might be that not all the files that were extracted from the archive are visible under the default Windows settings. The should, still be visible when you just open the archive, before extracting its content.
The way to
18. NTFS Alternate Data Streams
19. Special Filenames
While using the extensions to identify whether
the file we wish to open can safely be opened, is a common method, most
people are not aware of all complications that this method has.
Tricks to use double extensions are more known, and in fact, help some antivirus programs to identify suspicious files, but more sophisticated tricks exist, and other are still a potential risk. In this article we tried to summarize the different methods in which viruses try to hide their executable nature, and the various ways to reveal it. Those tricks and the fact that in the ever changing Computers' world, the white list and black list of filename extensions is changing with the emerge of newer and more sophisticated applications, made some security experts to disregard filename extensions as a method for identifying potentially risky files. But security is not a black and white issue, and in many cases it is not practical to ignore filename extension in our decission how to treat a file that we receive.
Anyway, as another lesson from this article,
should realize that we don't know all the tricks. I, for one, expect
document, just as my own knowledge, to be updated from time to time.