Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Running program files on XP with non-executable extension? (http://www.velocityreviews.com/forums/t307169-running-program-files-on-xp-with-non-executable-extension.html)

JS 11-02-2005 09:48 AM

Running program files on XP with non-executable extension?
 
I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

--

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?

James Egan 11-02-2005 11:33 AM

Re: Running program files on XP with non-executable extension?
 
On Wed, 02 Nov 2005 09:48:50 GMT, JS <j_simmonmds@nomailthankyou.com>
wrote:

>I figured this would stop my XP Pro from running it if I double
>clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
>me about it again. Even with the dummy extension letters! Surely
>such a program file is now safe enough?
>


Not always.

As an example you might try renaming a MS Word .doc file to (say) .hje
or some other extension which doesn't have a specific association with
another program and then double clicking it. You will see that it
still opens in Word because the file structure is still recognised as
a word document even though you renamed it.


Jim.


Dustin Cook 11-02-2005 02:59 PM

Re: Running program files on XP with non-executable extension?
 

James Egan wrote:

> Not always.
>
> As an example you might try renaming a MS Word .doc file to (say) .hje
> or some other extension which doesn't have a specific association with
> another program and then double clicking it. You will see that it
> still opens in Word because the file structure is still recognised as
> a word document even though you renamed it.


Mine ask what to open the program with when I do that. :)

Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

Regards,
Dustin Cook
http://bughunter.atspace.org


Arthur T. 11-02-2005 03:12 PM

Re: Running program files on XP with non-executable extension?
 
In Message-ID:<970263D544D6617E53A@66.250.146.159>
JS <j_simmonmds@nomailthankyou.com> wrote:

>I wanted to get more info about this file, so I disabled it by
>adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
>I figured this would stop my XP Pro from running it if I double
>clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
>me about it again. Even with the dummy extension letters! Surely
>such a program file is now safe enough?
>
>--
>
>I found that if I add the random letters *before* the EXE then
>AntiVir PE's guard does not detect it as a virus.
>
>So BLUESKY.HJEXE is ok according to 'AntiVir PE'.


The extension on the 8.3 filename will have the 1st 3 chars
of the final extension. Thus bluesky.exehj will have an 8.3 name
of something like bluesk~1.exe which is an executable.

To see this, use DIR *.EXE* /X from a command prompt.


--
Arthur T. - ar23hur "at" speakeasy "dot" net
Looking for a good MVS systems programmer position

James Egan 11-02-2005 04:34 PM

Re: Running program files on XP with non-executable extension?
 
On 2 Nov 2005 06:59:31 -0800, "Dustin Cook"
<bughunter.dustin@gmail.com> wrote:

>> As an example you might try renaming a MS Word .doc file to (say) .hje
>> or some other extension which doesn't have a specific association with
>> another program and then double clicking it. You will see that it
>> still opens in Word because the file structure is still recognised as
>> a word document even though you renamed it.

>
>Mine ask what to open the program with when I do that. :)
>
>Xp Pro sp1a on both machines. I'll test an sp2 machine at work.


Hmm. I wonder why that is?

Which version of MS Word did you use? With Word 2000 it opens
correctly (with a wrong extension) on both win9x and winxp.

Incidentally, Bart Bailey posted a registry hack (see below) to get
all unassociated extensions to open with notepad.


Jim.


Newsgroups: alt.comp.anti-virus
Subject: Re: Wirtualna Polska's antivirus program??
From: Bart Bailey <bartman@nethere.net>
Date: Thu, 31 Jul 2003 18:27:17 -0700

In Message-ID:<qr9jivsker61p8nu3k66bkhofjjfn9n75e@4ax.com> posted on
Fri, 01 Aug 2003 01:10:22 +0100, James Egan wrote:

>(IIRC Bart Bailey has a reg hack solution for all unregistered
>suffixes)


OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Bart



bughunter.dustin@gmail.com 11-02-2005 04:42 PM

Re: Running program files on XP with non-executable extension?
 

James Egan wrote:

> Hmm. I wonder why that is?


I might have applied a registry tweak some time ago when I hardened the
box. Autorun is disabled as well.

Essentially, if I click on a file to open that windows doesn't know the
extension of, it asks what to do with it. I'm pretty sure its a
registry key I changed.

> Which version of MS Word did you use? With Word 2000 it opens
> correctly (with a wrong extension) on both win9x and winxp.


Word 2000. The later versions are too much like an html editor to me.

Regards,
Dustin Cook
http://bughunter.atspace.org


Norman L. DeForest 11-02-2005 05:04 PM

Re: Running program files on XP with non-executable extension?
 

On Wed, 2 Nov 2005, JS wrote:

> I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> virus guard says may be a virus.
>
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
> I figured this would stop my XP Pro from running it if I double
> clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> me about it again. Even with the dummy extension letters! Surely
> such a program file is now safe enough?
>
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.
>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?


The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
"> Is there anything Spamazon DOESN'T sell?
Clues. The market's too small to justify the effort."
-- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005


Dustin Cook 11-02-2005 06:19 PM

Re: Running program files on XP with non-executable extension?
 

Norman L. DeForest wrote:
> On Wed, 2 Nov 2005, JS wrote:
>
> > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > virus guard says may be a virus.
> >
> > I wanted to get more info about this file, so I disabled it by
> > adding a couple of random letters to the extension.
> >
> > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> >
> > I figured this would stop my XP Pro from running it if I double
> > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> > me about it again. Even with the dummy extension letters! Surely
> > such a program file is now safe enough?
> >
> > --
> >
> > I found that if I add the random letters *before* the EXE then
> > AntiVir PE's guard does not detect it as a virus.
> >
> > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> >
> > Is this just an oddity in 'AntiVir PE'? Or is this being done
> > because of something in XP Pro which might truncate the letters in
> > a file's extension after the first three letters?

>
> The file can be found by both its long filename "BLUESKY.EXEHJ" and
> by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
> "BLUESK~1.EXE"). It's still an executable file as long as its short
> name has an executable extension.
>
> The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
> or "BLUESK~1.HJE".


Bingo. :) I changed the extension.. like I thought the poster did. But
I did it thru console, not explorer... So the extension really is
something windows doesn't know what to do with. heh.


gp 11-03-2005 12:53 AM

Re: Running program files on XP with non-executable extension?
 

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:1130955591.143391.24290@o13g2000cwo.googlegro ups.com...
>
> Norman L. DeForest wrote:
> > On Wed, 2 Nov 2005, JS wrote:
> >
> > > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > > virus guard says may be a virus.
> > >
> > > I wanted to get more info about this file, so I disabled it by
> > > adding a couple of random letters to the extension.
> > >
> > > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> > >
> > > I figured this would stop my XP Pro from running it if I double
> > > clicked it by mistake. But my antivirus guard 'AntiVir PE'

warned
> > > me about it again. Even with the dummy extension letters!

Surely
> > > such a program file is now safe enough?
> > >
> > > --
> > >
> > > I found that if I add the random letters *before* the EXE then
> > > AntiVir PE's guard does not detect it as a virus.
> > >
> > > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> > >
> > > Is this just an oddity in 'AntiVir PE'? Or is this being done
> > > because of something in XP Pro which might truncate the letters

in
> > > a file's extension after the first three letters?

> >
> > The file can be found by both its long filename "BLUESKY.EXEHJ"

and
> > by its short DOS-compatable file name (which may be "BLUESKY.EXE"

or
> > "BLUESK~1.EXE"). It's still an executable file as long as its

short
> > name has an executable extension.
> >
> > The short filename for "BLUESKY.HJEXE" would either be

"BLUESKY.HJE"
> > or "BLUESK~1.HJE".

>
> Bingo. :) I changed the extension.. like I thought the poster did.

But
> I did it thru console, not explorer... So the extension really is
> something windows doesn't know what to do with. heh.
>

Seem to recall there is a "featrue" in NT such that by default it only
considers the first 3 characters of a file extension as significant,
although there is a registry change that can turn this off and take
all characters into consideration.

Sorry, can't remember what it is.



Poster 60 11-03-2005 02:12 AM

Re: Running program files on XP with non-executable extension?
 


JS wrote:
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.


This is what an anti-virus program will do if you choose to rename
the file to keep it for observation purposes. If you add a "v" in front
of the exe extension, it is no longer read as an executable. You will
also notice the icon of the file changes.
You could also rename it by a second extension after the exe - exe.abc



>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.


The executable is disabled but it is still a malicious file. It can
be reactivated by changing the extension back to exe.

>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?




All times are GMT. The time now is 07:38 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.