Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Running program files on XP with non-executable extension?

Reply
Thread Tools

Running program files on XP with non-executable extension?

 
 
JS
Guest
Posts: n/a
 
      11-02-2005
I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

--

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?
 
Reply With Quote
 
 
 
 
James Egan
Guest
Posts: n/a
 
      11-02-2005
On Wed, 02 Nov 2005 09:48:50 GMT, JS <(E-Mail Removed)>
wrote:

>I figured this would stop my XP Pro from running it if I double
>clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
>me about it again. Even with the dummy extension letters! Surely
>such a program file is now safe enough?
>


Not always.

As an example you might try renaming a MS Word .doc file to (say) .hje
or some other extension which doesn't have a specific association with
another program and then double clicking it. You will see that it
still opens in Word because the file structure is still recognised as
a word document even though you renamed it.


Jim.

 
Reply With Quote
 
 
 
 
Dustin Cook
Guest
Posts: n/a
 
      11-02-2005

James Egan wrote:

> Not always.
>
> As an example you might try renaming a MS Word .doc file to (say) .hje
> or some other extension which doesn't have a specific association with
> another program and then double clicking it. You will see that it
> still opens in Word because the file structure is still recognised as
> a word document even though you renamed it.


Mine ask what to open the program with when I do that.

Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

Regards,
Dustin Cook
http://bughunter.atspace.org

 
Reply With Quote
 
Arthur T.
Guest
Posts: n/a
 
      11-02-2005
In Message-ID:<970263D544D6617E53A@66.250.146.159>
JS <(E-Mail Removed)> wrote:

>I wanted to get more info about this file, so I disabled it by
>adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
>I figured this would stop my XP Pro from running it if I double
>clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
>me about it again. Even with the dummy extension letters! Surely
>such a program file is now safe enough?
>
>--
>
>I found that if I add the random letters *before* the EXE then
>AntiVir PE's guard does not detect it as a virus.
>
>So BLUESKY.HJEXE is ok according to 'AntiVir PE'.


The extension on the 8.3 filename will have the 1st 3 chars
of the final extension. Thus bluesky.exehj will have an 8.3 name
of something like bluesk~1.exe which is an executable.

To see this, use DIR *.EXE* /X from a command prompt.


--
Arthur T. - ar23hur "at" speakeasy "dot" net
Looking for a good MVS systems programmer position
 
Reply With Quote
 
James Egan
Guest
Posts: n/a
 
      11-02-2005
On 2 Nov 2005 06:59:31 -0800, "Dustin Cook"
<(E-Mail Removed)> wrote:

>> As an example you might try renaming a MS Word .doc file to (say) .hje
>> or some other extension which doesn't have a specific association with
>> another program and then double clicking it. You will see that it
>> still opens in Word because the file structure is still recognised as
>> a word document even though you renamed it.

>
>Mine ask what to open the program with when I do that.
>
>Xp Pro sp1a on both machines. I'll test an sp2 machine at work.


Hmm. I wonder why that is?

Which version of MS Word did you use? With Word 2000 it opens
correctly (with a wrong extension) on both win9x and winxp.

Incidentally, Bart Bailey posted a registry hack (see below) to get
all unassociated extensions to open with notepad.


Jim.


Newsgroups: alt.comp.anti-virus
Subject: Re: Wirtualna Polska's antivirus program??
From: Bart Bailey <(E-Mail Removed)>
Date: Thu, 31 Jul 2003 18:27:17 -0700

In Message-ID:<(E-Mail Removed)> posted on
Fri, 01 Aug 2003 01:10:22 +0100, James Egan wrote:

>(IIRC Bart Bailey has a reg hack solution for all unregistered
>suffixes)


OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Bart


 
Reply With Quote
 
bughunter.dustin@gmail.com
Guest
Posts: n/a
 
      11-02-2005

James Egan wrote:

> Hmm. I wonder why that is?


I might have applied a registry tweak some time ago when I hardened the
box. Autorun is disabled as well.

Essentially, if I click on a file to open that windows doesn't know the
extension of, it asks what to do with it. I'm pretty sure its a
registry key I changed.

> Which version of MS Word did you use? With Word 2000 it opens
> correctly (with a wrong extension) on both win9x and winxp.


Word 2000. The later versions are too much like an html editor to me.

Regards,
Dustin Cook
http://bughunter.atspace.org

 
Reply With Quote
 
Norman L. DeForest
Guest
Posts: n/a
 
      11-02-2005

On Wed, 2 Nov 2005, JS wrote:

> I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> virus guard says may be a virus.
>
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
> I figured this would stop my XP Pro from running it if I double
> clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> me about it again. Even with the dummy extension letters! Surely
> such a program file is now safe enough?
>
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.
>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?


The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
"> Is there anything Spamazon DOESN'T sell?
Clues. The market's too small to justify the effort."
-- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005

 
Reply With Quote
 
Dustin Cook
Guest
Posts: n/a
 
      11-02-2005

Norman L. DeForest wrote:
> On Wed, 2 Nov 2005, JS wrote:
>
> > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > virus guard says may be a virus.
> >
> > I wanted to get more info about this file, so I disabled it by
> > adding a couple of random letters to the extension.
> >
> > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> >
> > I figured this would stop my XP Pro from running it if I double
> > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> > me about it again. Even with the dummy extension letters! Surely
> > such a program file is now safe enough?
> >
> > --
> >
> > I found that if I add the random letters *before* the EXE then
> > AntiVir PE's guard does not detect it as a virus.
> >
> > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> >
> > Is this just an oddity in 'AntiVir PE'? Or is this being done
> > because of something in XP Pro which might truncate the letters in
> > a file's extension after the first three letters?

>
> The file can be found by both its long filename "BLUESKY.EXEHJ" and
> by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
> "BLUESK~1.EXE"). It's still an executable file as long as its short
> name has an executable extension.
>
> The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
> or "BLUESK~1.HJE".


Bingo. I changed the extension.. like I thought the poster did. But
I did it thru console, not explorer... So the extension really is
something windows doesn't know what to do with. heh.

 
Reply With Quote
 
gp
Guest
Posts: n/a
 
      11-03-2005

"Dustin Cook" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>
> Norman L. DeForest wrote:
> > On Wed, 2 Nov 2005, JS wrote:
> >
> > > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > > virus guard says may be a virus.
> > >
> > > I wanted to get more info about this file, so I disabled it by
> > > adding a couple of random letters to the extension.
> > >
> > > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> > >
> > > I figured this would stop my XP Pro from running it if I double
> > > clicked it by mistake. But my antivirus guard 'AntiVir PE'

warned
> > > me about it again. Even with the dummy extension letters!

Surely
> > > such a program file is now safe enough?
> > >
> > > --
> > >
> > > I found that if I add the random letters *before* the EXE then
> > > AntiVir PE's guard does not detect it as a virus.
> > >
> > > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> > >
> > > Is this just an oddity in 'AntiVir PE'? Or is this being done
> > > because of something in XP Pro which might truncate the letters

in
> > > a file's extension after the first three letters?

> >
> > The file can be found by both its long filename "BLUESKY.EXEHJ"

and
> > by its short DOS-compatable file name (which may be "BLUESKY.EXE"

or
> > "BLUESK~1.EXE"). It's still an executable file as long as its

short
> > name has an executable extension.
> >
> > The short filename for "BLUESKY.HJEXE" would either be

"BLUESKY.HJE"
> > or "BLUESK~1.HJE".

>
> Bingo. I changed the extension.. like I thought the poster did.

But
> I did it thru console, not explorer... So the extension really is
> something windows doesn't know what to do with. heh.
>

Seem to recall there is a "featrue" in NT such that by default it only
considers the first 3 characters of a file extension as significant,
although there is a registry change that can turn this off and take
all characters into consideration.

Sorry, can't remember what it is.


 
Reply With Quote
 
Poster 60
Guest
Posts: n/a
 
      11-03-2005


JS wrote:
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.


This is what an anti-virus program will do if you choose to rename
the file to keep it for observation purposes. If you add a "v" in front
of the exe extension, it is no longer read as an executable. You will
also notice the icon of the file changes.
You could also rename it by a second extension after the exe - exe.abc



>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.


The executable is disabled but it is still a malicious file. It can
be reactivated by changing the extension back to exe.

>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet Explorer 8: C:\Program Files\Internet Explorer\iexplore.exe vs C:\Program Files (x86)\Internet Explorer\iexplore.exe Nathan Sokalski Windows 64bit 16 02-22-2010 08:31 AM
How to replace c:\Program Files with Program Files (x86) in allscripts? clearguy02@yahoo.com Perl Misc 5 05-15-2009 02:23 PM
Program Files vs Program Files x86 =?Utf-8?B?QklHRQ==?= Windows 64bit 2 02-14-2006 08:26 PM
running another program from a C++ program Lorenzo Bettini C++ 3 09-24-2005 10:05 AM
Help !I want to write a program to count the running time of another program freehomesp@yahoo.com.cn C Programming 1 08-12-2005 06:13 AM



Advertisments