Running program files on XP with non-executable extension?

Discussion in 'Computer Security' started by JS, Nov 2, 2005.

  1. JS

    JS Guest

    I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    virus guard says may be a virus.

    I wanted to get more info about this file, so I disabled it by
    adding a couple of random letters to the extension.

    I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

    I figured this would stop my XP Pro from running it if I double
    clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    me about it again. Even with the dummy extension letters! Surely
    such a program file is now safe enough?

    --

    I found that if I add the random letters *before* the EXE then
    AntiVir PE's guard does not detect it as a virus.

    So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

    Is this just an oddity in 'AntiVir PE'? Or is this being done
    because of something in XP Pro which might truncate the letters in
    a file's extension after the first three letters?
     
    JS, Nov 2, 2005
    #1
    1. Advertisements

  2. JS

    James Egan Guest

    Not always.

    As an example you might try renaming a MS Word .doc file to (say) .hje
    or some other extension which doesn't have a specific association with
    another program and then double clicking it. You will see that it
    still opens in Word because the file structure is still recognised as
    a word document even though you renamed it.


    Jim.
     
    James Egan, Nov 2, 2005
    #2
    1. Advertisements

  3. JS

    Dustin Cook Guest

    Mine ask what to open the program with when I do that. :)

    Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Nov 2, 2005
    #3
  4. JS

    Arthur T. Guest

    In Message-ID:<[email protected]>
    The extension on the 8.3 filename will have the 1st 3 chars
    of the final extension. Thus bluesky.exehj will have an 8.3 name
    of something like bluesk~1.exe which is an executable.

    To see this, use DIR *.EXE* /X from a command prompt.
     
    Arthur T., Nov 2, 2005
    #4
  5. JS

    James Egan Guest

    Hmm. I wonder why that is?

    Which version of MS Word did you use? With Word 2000 it opens
    correctly (with a wrong extension) on both win9x and winxp.

    Incidentally, Bart Bailey posted a registry hack (see below) to get
    all unassociated extensions to open with notepad.


    Jim.


    Newsgroups: alt.comp.anti-virus
    Subject: Re: Wirtualna Polska's antivirus program??
    From: Bart Bailey <>
    Date: Thu, 31 Jul 2003 18:27:17 -0700

    OK, I got to poking around in my registry found it.
    I think this will work if you merge it:

    ---begin---
    REGEDIT4

    [HKEY_CLASSES_ROOT\Unknown]
    "AlwaysShowExt"=""

    [HKEY_CLASSES_ROOT\Unknown\shell]

    [HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
    @="&Notepad"

    [HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
    @="notepad.exe %1"

    ---end---
    be sure to leave a blank line at the bottom,
    create an extensionless file an try it.

    Bart
     
    James Egan, Nov 2, 2005
    #5
  6. I might have applied a registry tweak some time ago when I hardened the
    box. Autorun is disabled as well.

    Essentially, if I click on a file to open that windows doesn't know the
    extension of, it asks what to do with it. I'm pretty sure its a
    registry key I changed.
    Word 2000. The later versions are too much like an html editor to me.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    bughunter.dustin, Nov 2, 2005
    #6
  7. The file can be found by both its long filename "BLUESKY.EXEHJ" and
    by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
    "BLUESK~1.EXE"). It's still an executable file as long as its short
    name has an executable extension.

    The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
    or "BLUESK~1.HJE".
     
    Norman L. DeForest, Nov 2, 2005
    #7
  8. JS

    Dustin Cook Guest

    Bingo. :) I changed the extension.. like I thought the poster did. But
    I did it thru console, not explorer... So the extension really is
    something windows doesn't know what to do with. heh.
     
    Dustin Cook, Nov 2, 2005
    #8
  9. JS

    gp Guest

    Seem to recall there is a "featrue" in NT such that by default it only
    considers the first 3 characters of a file extension as significant,
    although there is a registry change that can turn this off and take
    all characters into consideration.

    Sorry, can't remember what it is.
     
    gp, Nov 3, 2005
    #9
  10. JS

    Poster 60 Guest

    This is what an anti-virus program will do if you choose to rename
    the file to keep it for observation purposes. If you add a "v" in front
    of the exe extension, it is no longer read as an executable. You will
    also notice the icon of the file changes.
    You could also rename it by a second extension after the exe - exe.abc


    The executable is disabled but it is still a malicious file. It can
    be reactivated by changing the extension back to exe.
     
    Poster 60, Nov 3, 2005
    #10
  11. JS

    Leythos Guest

    Not true, that's what SOME Av products will do if you rename the file.
    We have our AV software set to scan EVERY file on access, except the
    database and exchange store files (as defined by MS and the Av
    provider), but if you were to rename myvirus.exe to myvirus.txt, it
    would still be detected as a virus.

    Good settings for any AV product would be to scan all files accessed.
     
    Leythos, Nov 3, 2005
    #11
  12. JS

    Poster 60 Guest

    Then those that don't do it that way probably use the double extension
    method. I know of a program that uses this method, but in both cases the
    file is disabled so no program can open it.

    The AV program I use gives the renaming option of a malicious file
    found by placing one letter in front of the exe to disable it, but does
    not rename it as a file that can be executed such as txt in your
    example. The purpose of renaming a malicious file is to disable it, so
    no program can open it.
    In a corporate environment, I would agree.
     
    Poster 60, Nov 3, 2005
    #12
  13. JS

    Dustin Cook Guest

    I would disagree for home users. Scanning every single file would only
    increase the chance of false alarms.

    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Nov 3, 2005
    #13
  14. JS

    Leythos Guest

    That may be true, but the same would be true for exe files. The chance
    of a false alarm is minimal in todays world of quality AV scanners. In
    the 7 years we've had Symantec Corp edition set to scan ALL files on
    access we've never seen a false hit.

    I would rather see a false alarm than miss a hidden/renamed file.
     
    Leythos, Nov 3, 2005
    #14
  15. JS

    Dustin Cook Guest

    It's actually harder to accidently flag a good exe as a bad one, then
    it would be to accidently hueristically determine some .txt file is a
    virus. This isn't from personal opinion, thats a stated fact in the
    antivirus industry. While I appreciate improvements have been made, the
    underlying principles of how a virus scanner works has not changed much
    in the last few years.

    For example, frisk; maker of f-prot, has an option on the dos scanner
    to indeed, scan all files. This is settable via the "/dumb" switch. He
    named it dumb, because scanning all files on a hard disk, even ones
    that cannot possibly contain executable code, is a dumb thing to do.

    As I said, I've been in the vx side for many years. I'm well versed on
    both aspects of it, from antivirus perspective as well as vx
    perspective. I'm not giving my opinion per say, I'm giving that of the
    general consensus of both the Av and Vx side of things.

    Regards,
    Dustin Cook
     
    Dustin Cook, Nov 3, 2005
    #15
  16. JS

    Leythos Guest

    That's great for them and you - not being snide here, but, as I said
    before, never seen a false positive on more than 1500 systems, and we'll
    continue to use it scanning all files on access.
     
    Leythos, Nov 3, 2005
    #16
  17. JS

    Zvi Netiv Guest

    Not the brightest idea.
    Not sure at all. See below.
    Nothing to do with XP, particularly, but with how file and extension names are
    interpreted by Windows and by various applications.

    Here is a little experiment that you can do, that explains the principles
    involved: Open the Windows installation directory with Windows Explorer, find
    Regedit.exe, and rename it to "Egedit.executable". When still in Explorer's
    window, double click the Egedit renamed file and it won't execute, as expected.

    Prepare now for a little surprise! Open the CMD shell (by executing CMD from
    the desktop 'run' menu), change to XP's base directory (..\WINNT by default) and
    issue the command DIR EGEDI* from the command line. The system will return
    EGEDIT~1.EXE. Type now just EGEDIT~1, with no extension name, and then press
    Enter. REGEDIT will open normally!

    What the above experiment shows is that the Explorer and CMD shells, do parse
    file and extension names quite differently and whether a file is considered an
    executable depends on the parser.

    All that your experiment tells is that Antivir PE interprets just the first
    three characters of the extension name in order to determine whether the file
    type is in the list of extensions that need be verified. Nothing beyond that.

    If you want to be safe, then change the extension name to EX~, DL~, SC~ for
    castrated exe, dll, and scr, respectively, rather than appending the original
    extension name, like you did.

    Don't forget to delete Egedit when done with the experiment (Windows will keep
    the protected original file, and rename a copy).

    Regards, Zvi
     
    Zvi Netiv, Nov 3, 2005
    #17
  18. JS

    Zvi Netiv Guest

    Overkill, and time wasteful.
    God forbid.

    Regards
     
    Zvi Netiv, Nov 3, 2005
    #18
  19. JS

    Leythos Guest

    Depends on the environment, not everyone has data they don't care about.
    Funny, how many networks have you designed and maintain that have NEVER
    been compromised?
     
    Leythos, Nov 3, 2005
    #19
  20. JS

    Dustin Cook Guest

    I have no problems with what you do. I was just stating what the
    majority of those on both sides professionally feel. You know, the guys
    who write the viruses, and the guys who write the products that hunt
    for them. You wouldn't be the first end-user to assume he/she knows
    better how to use a product then it's creators tho.

    Regards,
    Dustin Cook
     
    Dustin Cook, Nov 3, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.