Running program files on XP with non-executable extension?

Discussion in 'Computer Security' started by JS, Nov 2, 2005.

  1. JS

    JS Guest

    I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    virus guard says may be a virus.

    I wanted to get more info about this file, so I disabled it by
    adding a couple of random letters to the extension.

    I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

    I figured this would stop my XP Pro from running it if I double
    clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    me about it again. Even with the dummy extension letters! Surely
    such a program file is now safe enough?

    --

    I found that if I add the random letters *before* the EXE then
    AntiVir PE's guard does not detect it as a virus.

    So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

    Is this just an oddity in 'AntiVir PE'? Or is this being done
    because of something in XP Pro which might truncate the letters in
    a file's extension after the first three letters?
     
    JS, Nov 2, 2005
    #1
    1. Advertising

  2. JS

    James Egan Guest

    On Wed, 02 Nov 2005 09:48:50 GMT, JS <>
    wrote:

    >I figured this would stop my XP Pro from running it if I double
    >clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    >me about it again. Even with the dummy extension letters! Surely
    >such a program file is now safe enough?
    >


    Not always.

    As an example you might try renaming a MS Word .doc file to (say) .hje
    or some other extension which doesn't have a specific association with
    another program and then double clicking it. You will see that it
    still opens in Word because the file structure is still recognised as
    a word document even though you renamed it.


    Jim.
     
    James Egan, Nov 2, 2005
    #2
    1. Advertising

  3. JS

    Dustin Cook Guest

    James Egan wrote:

    > Not always.
    >
    > As an example you might try renaming a MS Word .doc file to (say) .hje
    > or some other extension which doesn't have a specific association with
    > another program and then double clicking it. You will see that it
    > still opens in Word because the file structure is still recognised as
    > a word document even though you renamed it.


    Mine ask what to open the program with when I do that. :)

    Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Nov 2, 2005
    #3
  4. JS

    Arthur T. Guest

    In Message-ID:<970263D544D6617E53A@66.250.146.159>
    JS <> wrote:

    >I wanted to get more info about this file, so I disabled it by
    >adding a couple of random letters to the extension.
    >
    > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
    >
    >I figured this would stop my XP Pro from running it if I double
    >clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    >me about it again. Even with the dummy extension letters! Surely
    >such a program file is now safe enough?
    >
    >--
    >
    >I found that if I add the random letters *before* the EXE then
    >AntiVir PE's guard does not detect it as a virus.
    >
    >So BLUESKY.HJEXE is ok according to 'AntiVir PE'.


    The extension on the 8.3 filename will have the 1st 3 chars
    of the final extension. Thus bluesky.exehj will have an 8.3 name
    of something like bluesk~1.exe which is an executable.

    To see this, use DIR *.EXE* /X from a command prompt.


    --
    Arthur T. - ar23hur "at" speakeasy "dot" net
    Looking for a good MVS systems programmer position
     
    Arthur T., Nov 2, 2005
    #4
  5. JS

    James Egan Guest

    On 2 Nov 2005 06:59:31 -0800, "Dustin Cook"
    <> wrote:

    >> As an example you might try renaming a MS Word .doc file to (say) .hje
    >> or some other extension which doesn't have a specific association with
    >> another program and then double clicking it. You will see that it
    >> still opens in Word because the file structure is still recognised as
    >> a word document even though you renamed it.

    >
    >Mine ask what to open the program with when I do that. :)
    >
    >Xp Pro sp1a on both machines. I'll test an sp2 machine at work.


    Hmm. I wonder why that is?

    Which version of MS Word did you use? With Word 2000 it opens
    correctly (with a wrong extension) on both win9x and winxp.

    Incidentally, Bart Bailey posted a registry hack (see below) to get
    all unassociated extensions to open with notepad.


    Jim.


    Newsgroups: alt.comp.anti-virus
    Subject: Re: Wirtualna Polska's antivirus program??
    From: Bart Bailey <>
    Date: Thu, 31 Jul 2003 18:27:17 -0700

    In Message-ID:<> posted on
    Fri, 01 Aug 2003 01:10:22 +0100, James Egan wrote:

    >(IIRC Bart Bailey has a reg hack solution for all unregistered
    >suffixes)


    OK, I got to poking around in my registry found it.
    I think this will work if you merge it:

    ---begin---
    REGEDIT4

    [HKEY_CLASSES_ROOT\Unknown]
    "AlwaysShowExt"=""

    [HKEY_CLASSES_ROOT\Unknown\shell]

    [HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
    @="&Notepad"

    [HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
    @="notepad.exe %1"

    ---end---
    be sure to leave a blank line at the bottom,
    create an extensionless file an try it.

    Bart
     
    James Egan, Nov 2, 2005
    #5
  6. JS

    Guest

    James Egan wrote:

    > Hmm. I wonder why that is?


    I might have applied a registry tweak some time ago when I hardened the
    box. Autorun is disabled as well.

    Essentially, if I click on a file to open that windows doesn't know the
    extension of, it asks what to do with it. I'm pretty sure its a
    registry key I changed.

    > Which version of MS Word did you use? With Word 2000 it opens
    > correctly (with a wrong extension) on both win9x and winxp.


    Word 2000. The later versions are too much like an html editor to me.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    , Nov 2, 2005
    #6
  7. On Wed, 2 Nov 2005, JS wrote:

    > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    > virus guard says may be a virus.
    >
    > I wanted to get more info about this file, so I disabled it by
    > adding a couple of random letters to the extension.
    >
    > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
    >
    > I figured this would stop my XP Pro from running it if I double
    > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    > me about it again. Even with the dummy extension letters! Surely
    > such a program file is now safe enough?
    >
    > --
    >
    > I found that if I add the random letters *before* the EXE then
    > AntiVir PE's guard does not detect it as a virus.
    >
    > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
    >
    > Is this just an oddity in 'AntiVir PE'? Or is this being done
    > because of something in XP Pro which might truncate the letters in
    > a file's extension after the first three letters?


    The file can be found by both its long filename "BLUESKY.EXEHJ" and
    by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
    "BLUESK~1.EXE"). It's still an executable file as long as its short
    name has an executable extension.

    The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
    or "BLUESK~1.HJE".

    --
    Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
    "> Is there anything Spamazon DOESN'T sell?
    Clues. The market's too small to justify the effort."
    -- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005
     
    Norman L. DeForest, Nov 2, 2005
    #7
  8. JS

    Dustin Cook Guest

    Norman L. DeForest wrote:
    > On Wed, 2 Nov 2005, JS wrote:
    >
    > > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    > > virus guard says may be a virus.
    > >
    > > I wanted to get more info about this file, so I disabled it by
    > > adding a couple of random letters to the extension.
    > >
    > > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
    > >
    > > I figured this would stop my XP Pro from running it if I double
    > > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    > > me about it again. Even with the dummy extension letters! Surely
    > > such a program file is now safe enough?
    > >
    > > --
    > >
    > > I found that if I add the random letters *before* the EXE then
    > > AntiVir PE's guard does not detect it as a virus.
    > >
    > > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
    > >
    > > Is this just an oddity in 'AntiVir PE'? Or is this being done
    > > because of something in XP Pro which might truncate the letters in
    > > a file's extension after the first three letters?

    >
    > The file can be found by both its long filename "BLUESKY.EXEHJ" and
    > by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
    > "BLUESK~1.EXE"). It's still an executable file as long as its short
    > name has an executable extension.
    >
    > The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
    > or "BLUESK~1.HJE".


    Bingo. :) I changed the extension.. like I thought the poster did. But
    I did it thru console, not explorer... So the extension really is
    something windows doesn't know what to do with. heh.
     
    Dustin Cook, Nov 2, 2005
    #8
  9. JS

    gp Guest

    "Dustin Cook" <> wrote in message
    news:...
    >
    > Norman L. DeForest wrote:
    > > On Wed, 2 Nov 2005, JS wrote:
    > >
    > > > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    > > > virus guard says may be a virus.
    > > >
    > > > I wanted to get more info about this file, so I disabled it by
    > > > adding a couple of random letters to the extension.
    > > >
    > > > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
    > > >
    > > > I figured this would stop my XP Pro from running it if I double
    > > > clicked it by mistake. But my antivirus guard 'AntiVir PE'

    warned
    > > > me about it again. Even with the dummy extension letters!

    Surely
    > > > such a program file is now safe enough?
    > > >
    > > > --
    > > >
    > > > I found that if I add the random letters *before* the EXE then
    > > > AntiVir PE's guard does not detect it as a virus.
    > > >
    > > > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
    > > >
    > > > Is this just an oddity in 'AntiVir PE'? Or is this being done
    > > > because of something in XP Pro which might truncate the letters

    in
    > > > a file's extension after the first three letters?

    > >
    > > The file can be found by both its long filename "BLUESKY.EXEHJ"

    and
    > > by its short DOS-compatable file name (which may be "BLUESKY.EXE"

    or
    > > "BLUESK~1.EXE"). It's still an executable file as long as its

    short
    > > name has an executable extension.
    > >
    > > The short filename for "BLUESKY.HJEXE" would either be

    "BLUESKY.HJE"
    > > or "BLUESK~1.HJE".

    >
    > Bingo. :) I changed the extension.. like I thought the poster did.

    But
    > I did it thru console, not explorer... So the extension really is
    > something windows doesn't know what to do with. heh.
    >

    Seem to recall there is a "featrue" in NT such that by default it only
    considers the first 3 characters of a file extension as significant,
    although there is a registry change that can turn this off and take
    all characters into consideration.

    Sorry, can't remember what it is.
     
    gp, Nov 3, 2005
    #9
  10. JS

    Poster 60 Guest

    JS wrote:
    > --
    >
    > I found that if I add the random letters *before* the EXE then
    > AntiVir PE's guard does not detect it as a virus.


    This is what an anti-virus program will do if you choose to rename
    the file to keep it for observation purposes. If you add a "v" in front
    of the exe extension, it is no longer read as an executable. You will
    also notice the icon of the file changes.
    You could also rename it by a second extension after the exe - exe.abc



    >
    > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.


    The executable is disabled but it is still a malicious file. It can
    be reactivated by changing the extension back to exe.

    >
    > Is this just an oddity in 'AntiVir PE'? Or is this being done
    > because of something in XP Pro which might truncate the letters in
    > a file's extension after the first three letters?
     
    Poster 60, Nov 3, 2005
    #10
  11. JS

    Leythos Guest

    In article <>, says...
    > This is what an anti-virus program will do if you choose to rename
    > the file to keep it for observation purposes


    Not true, that's what SOME Av products will do if you rename the file.
    We have our AV software set to scan EVERY file on access, except the
    database and exchange store files (as defined by MS and the Av
    provider), but if you were to rename myvirus.exe to myvirus.txt, it
    would still be detected as a virus.

    Good settings for any AV product would be to scan all files accessed.

    --


    remove 999 in order to email me
     
    Leythos, Nov 3, 2005
    #11
  12. JS

    Poster 60 Guest

    Leythos wrote:
    > In article <>, says...
    >
    >> This is what an anti-virus program will do if you choose to rename
    >>the file to keep it for observation purposes

    >
    >
    > Not true, that's what SOME Av products will do if you rename the file.


    Then those that don't do it that way probably use the double extension
    method. I know of a program that uses this method, but in both cases the
    file is disabled so no program can open it.


    > We have our AV software set to scan EVERY file on access, except the
    > database and exchange store files (as defined by MS and the Av
    > provider), but if you were to rename myvirus.exe to myvirus.txt, it
    > would still be detected as a virus.


    The AV program I use gives the renaming option of a malicious file
    found by placing one letter in front of the exe to disable it, but does
    not rename it as a file that can be executed such as txt in your
    example. The purpose of renaming a malicious file is to disable it, so
    no program can open it.

    >
    > Good settings for any AV product would be to scan all files accessed.
    >

    In a corporate environment, I would agree.
     
    Poster 60, Nov 3, 2005
    #12
  13. JS

    Dustin Cook Guest

    Poster 60 wrote:

    > In a corporate environment, I would agree.


    I would disagree for home users. Scanning every single file would only
    increase the chance of false alarms.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Nov 3, 2005
    #13
  14. JS

    Leythos Guest

    In article <>,
    says...
    >
    > Poster 60 wrote:
    >
    > > In a corporate environment, I would agree.

    >
    > I would disagree for home users. Scanning every single file would only
    > increase the chance of false alarms.


    That may be true, but the same would be true for exe files. The chance
    of a false alarm is minimal in todays world of quality AV scanners. In
    the 7 years we've had Symantec Corp edition set to scan ALL files on
    access we've never seen a false hit.

    I would rather see a false alarm than miss a hidden/renamed file.

    --


    remove 999 in order to email me
     
    Leythos, Nov 3, 2005
    #14
  15. JS

    Dustin Cook Guest

    Leythos wrote:

    > That may be true, but the same would be true for exe files. The chance
    > of a false alarm is minimal in todays world of quality AV scanners. In
    > the 7 years we've had Symantec Corp edition set to scan ALL files on
    > access we've never seen a false hit.


    It's actually harder to accidently flag a good exe as a bad one, then
    it would be to accidently hueristically determine some .txt file is a
    virus. This isn't from personal opinion, thats a stated fact in the
    antivirus industry. While I appreciate improvements have been made, the
    underlying principles of how a virus scanner works has not changed much
    in the last few years.

    For example, frisk; maker of f-prot, has an option on the dos scanner
    to indeed, scan all files. This is settable via the "/dumb" switch. He
    named it dumb, because scanning all files on a hard disk, even ones
    that cannot possibly contain executable code, is a dumb thing to do.

    As I said, I've been in the vx side for many years. I'm well versed on
    both aspects of it, from antivirus perspective as well as vx
    perspective. I'm not giving my opinion per say, I'm giving that of the
    general consensus of both the Av and Vx side of things.

    Regards,
    Dustin Cook
     
    Dustin Cook, Nov 3, 2005
    #15
  16. JS

    Leythos Guest

    In article <>,
    says...
    > As I said, I've been in the vx side for many years. I'm well versed on
    > both aspects of it, from antivirus perspective as well as vx
    > perspective. I'm not giving my opinion per say, I'm giving that of the
    > general consensus of both the Av and Vx side of things.


    That's great for them and you - not being snide here, but, as I said
    before, never seen a false positive on more than 1500 systems, and we'll
    continue to use it scanning all files on access.


    --


    remove 999 in order to email me
     
    Leythos, Nov 3, 2005
    #16
  17. JS

    Zvi Netiv Guest

    JS <> wrote:

    > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    > virus guard says may be a virus.
    >
    > I wanted to get more info about this file, so I disabled it by
    > adding a couple of random letters to the extension.
    >
    > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.


    Not the brightest idea.

    > I figured this would stop my XP Pro from running it if I double
    > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    > me about it again. Even with the dummy extension letters! Surely
    > such a program file is now safe enough?


    Not sure at all. See below.

    > I found that if I add the random letters *before* the EXE then
    > AntiVir PE's guard does not detect it as a virus.
    >
    > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
    >
    > Is this just an oddity in 'AntiVir PE'? Or is this being done
    > because of something in XP Pro which might truncate the letters in
    > a file's extension after the first three letters?


    Nothing to do with XP, particularly, but with how file and extension names are
    interpreted by Windows and by various applications.

    Here is a little experiment that you can do, that explains the principles
    involved: Open the Windows installation directory with Windows Explorer, find
    Regedit.exe, and rename it to "Egedit.executable". When still in Explorer's
    window, double click the Egedit renamed file and it won't execute, as expected.

    Prepare now for a little surprise! Open the CMD shell (by executing CMD from
    the desktop 'run' menu), change to XP's base directory (..\WINNT by default) and
    issue the command DIR EGEDI* from the command line. The system will return
    EGEDIT~1.EXE. Type now just EGEDIT~1, with no extension name, and then press
    Enter. REGEDIT will open normally!

    What the above experiment shows is that the Explorer and CMD shells, do parse
    file and extension names quite differently and whether a file is considered an
    executable depends on the parser.

    All that your experiment tells is that Antivir PE interprets just the first
    three characters of the extension name in order to determine whether the file
    type is in the list of extensions that need be verified. Nothing beyond that.

    If you want to be safe, then change the extension name to EX~, DL~, SC~ for
    castrated exe, dll, and scr, respectively, rather than appending the original
    extension name, like you did.

    Don't forget to delete Egedit when done with the experiment (Windows will keep
    the protected original file, and rename a copy).

    Regards, Zvi
    --
    NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
    InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
     
    Zvi Netiv, Nov 3, 2005
    #17
  18. JS

    Zvi Netiv Guest

    Leythos <> wrote:

    > In article <>, says...
    > > This is what an anti-virus program will do if you choose to rename
    > > the file to keep it for observation purposes

    >
    > Not true, that's what SOME Av products will do if you rename the file.
    > We have our AV software set to scan EVERY file on access,


    Overkill, and time wasteful.

    > except the
    > database and exchange store files (as defined by MS and the Av
    > provider), but if you were to rename myvirus.exe to myvirus.txt, it
    > would still be detected as a virus.
    >
    > Good settings for any AV product would be to scan all files accessed.


    God forbid.

    Regards
    --
    NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
    InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
     
    Zvi Netiv, Nov 3, 2005
    #18
  19. JS

    Leythos Guest

    In article <>,
    support@replace_with_domain.com says...
    > Leythos <> wrote:
    >
    > > In article <>, says...
    > > > This is what an anti-virus program will do if you choose to rename
    > > > the file to keep it for observation purposes

    > >
    > > Not true, that's what SOME Av products will do if you rename the file.
    > > We have our AV software set to scan EVERY file on access,

    >
    > Overkill, and time wasteful.


    Depends on the environment, not everyone has data they don't care about.

    > > except the
    > > database and exchange store files (as defined by MS and the Av
    > > provider), but if you were to rename myvirus.exe to myvirus.txt, it
    > > would still be detected as a virus.
    > >
    > > Good settings for any AV product would be to scan all files accessed.

    >
    > God forbid.


    Funny, how many networks have you designed and maintain that have NEVER
    been compromised?

    --


    remove 999 in order to email me
     
    Leythos, Nov 3, 2005
    #19
  20. JS

    Dustin Cook Guest

    Leythos wrote:

    > That's great for them and you - not being snide here, but, as I said
    > before, never seen a false positive on more than 1500 systems, and we'll
    > continue to use it scanning all files on access.


    I have no problems with what you do. I was just stating what the
    majority of those on both sides professionally feel. You know, the guys
    who write the viruses, and the guys who write the products that hunt
    for them. You wouldn't be the first end-user to assume he/she knows
    better how to use a product then it's creators tho.

    Regards,
    Dustin Cook
     
    Dustin Cook, Nov 3, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jigsaw

    Password protection of executable files.

    Jigsaw, Feb 8, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    428
    Robert Amtjip
    Feb 9, 2005
  2. Tom

    WinXP File Permissions - Executable Files

    Tom, Mar 15, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    496
  3. Enid

    Non Executable Incredimail

    Enid, May 17, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    754
  4. John O'Hara

    unable to open executable files

    John O'Hara, Nov 10, 2005, in forum: Computer Information
    Replies:
    1
    Views:
    357
    Fakename
    Nov 10, 2005
  5. John S
    Replies:
    15
    Views:
    897
    Sailor Sam
    Sep 25, 2009
Loading...

Share This Page