Running program files on XP with non-executable extension?

[JS]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

--

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?

 

[James Egan]

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

Not always.

As an example you might try renaming a MS Word .doc file to (say) .hje
or some other extension which doesn't have a specific association with
another program and then double clicking it. You will see that it
still opens in Word because the file structure is still recognised as
a word document even though you renamed it.


Jim.

 

[Dustin Cook]

Not always.

As an example you might try renaming a MS Word .doc file to (say) .hje
or some other extension which doesn't have a specific association with
another program and then double clicking it. You will see that it
still opens in Word because the file structure is still recognised as
a word document even though you renamed it.

Mine ask what to open the program with when I do that.

Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[James Egan]

Mine ask what to open the program with when I do that.

Xp Pro sp1a on both machines. I'll test an sp2 machine at work.

Hmm. I wonder why that is?

Which version of MS Word did you use? With Word 2000 it opens
correctly (with a wrong extension) on both win9x and winxp.

Incidentally, Bart Bailey posted a registry hack (see below) to get
all unassociated extensions to open with notepad.


Jim.


Newsgroups: alt.comp.anti-virus
Subject: Re: Wirtualna Polska's antivirus program??
From: Bart Bailey <[email protected]>
Date: Thu, 31 Jul 2003 18:27:17 -0700

In Message-ID:<[email protected]> posted on

(IIRC Bart Bailey has a reg hack solution for all unregistered
suffixes)

OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Bart

 

[bughunter.dustin]

Hmm. I wonder why that is?

I might have applied a registry tweak some time ago when I hardened the
box. Autorun is disabled as well.

Essentially, if I click on a file to open that windows doesn't know the
extension of, it asks what to do with it. I'm pretty sure its a
registry key I changed.

Which version of MS Word did you use? With Word 2000 it opens
correctly (with a wrong extension) on both win9x and winxp.

Word 2000. The later versions are too much like an html editor to me.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[Norman L. DeForest]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

--

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?

The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

 

[Dustin Cook]

The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

Bingo. I changed the extension.. like I thought the poster did. But
I did it thru console, not explorer... So the extension really is
something windows doesn't know what to do with. heh.

 

[gp]

Bingo. I changed the extension.. like I thought the poster did. But
I did it thru console, not explorer... So the extension really is
something windows doesn't know what to do with. heh.

Seem to recall there is a "featrue" in NT such that by default it only
considers the first 3 characters of a file extension as significant,
although there is a registry change that can turn this off and take
all characters into consideration.

Sorry, can't remember what it is.

 

[Poster 60]

This is what an anti-virus program will do if you choose to rename
the file to keep it for observation purposes. If you add a "v" in front
of the exe extension, it is no longer read as an executable. You will
also notice the icon of the file changes.
You could also rename it by a second extension after the exe - exe.abc

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

The executable is disabled but it is still a malicious file. It can
be reactivated by changing the extension back to exe.

 

[Leythos]

This is what an anti-virus program will do if you choose to rename
the file to keep it for observation purposes

Not true, that's what SOME Av products will do if you rename the file.
We have our AV software set to scan EVERY file on access, except the
database and exchange store files (as defined by MS and the Av
provider), but if you were to rename myvirus.exe to myvirus.txt, it
would still be detected as a virus.

Good settings for any AV product would be to scan all files accessed.

 

[Poster 60]

Not true, that's what SOME Av products will do if you rename the file.

Then those that don't do it that way probably use the double extension
method. I know of a program that uses this method, but in both cases the
file is disabled so no program can open it.

We have our AV software set to scan EVERY file on access, except the
database and exchange store files (as defined by MS and the Av
provider), but if you were to rename myvirus.exe to myvirus.txt, it
would still be detected as a virus.

The AV program I use gives the renaming option of a malicious file
found by placing one letter in front of the exe to disable it, but does
not rename it as a file that can be executed such as txt in your
example. The purpose of renaming a malicious file is to disable it, so
no program can open it.

Good settings for any AV product would be to scan all files accessed.

In a corporate environment, I would agree.

 

[Dustin Cook]

In a corporate environment, I would agree.

I would disagree for home users. Scanning every single file would only
increase the chance of false alarms.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[Leythos]

I would disagree for home users. Scanning every single file would only
increase the chance of false alarms.

That may be true, but the same would be true for exe files. The chance
of a false alarm is minimal in todays world of quality AV scanners. In
the 7 years we've had Symantec Corp edition set to scan ALL files on
access we've never seen a false hit.

I would rather see a false alarm than miss a hidden/renamed file.

 

[Dustin Cook]

That may be true, but the same would be true for exe files. The chance
of a false alarm is minimal in todays world of quality AV scanners. In
the 7 years we've had Symantec Corp edition set to scan ALL files on
access we've never seen a false hit.

It's actually harder to accidently flag a good exe as a bad one, then
it would be to accidently hueristically determine some .txt file is a
virus. This isn't from personal opinion, thats a stated fact in the
antivirus industry. While I appreciate improvements have been made, the
underlying principles of how a virus scanner works has not changed much
in the last few years.

For example, frisk; maker of f-prot, has an option on the dos scanner
to indeed, scan all files. This is settable via the "/dumb" switch. He
named it dumb, because scanning all files on a hard disk, even ones
that cannot possibly contain executable code, is a dumb thing to do.

As I said, I've been in the vx side for many years. I'm well versed on
both aspects of it, from antivirus perspective as well as vx
perspective. I'm not giving my opinion per say, I'm giving that of the
general consensus of both the Av and Vx side of things.

Regards,
Dustin Cook

 

[Leythos]

As I said, I've been in the vx side for many years. I'm well versed on
both aspects of it, from antivirus perspective as well as vx
perspective. I'm not giving my opinion per say, I'm giving that of the
general consensus of both the Av and Vx side of things.

That's great for them and you - not being snide here, but, as I said
before, never seen a false positive on more than 1500 systems, and we'll
continue to use it scanning all files on access.

 

[Zvi Netiv]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

Not the brightest idea.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

Not sure at all. See below.

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?

Nothing to do with XP, particularly, but with how file and extension names are
interpreted by Windows and by various applications.

Here is a little experiment that you can do, that explains the principles
involved: Open the Windows installation directory with Windows Explorer, find
Regedit.exe, and rename it to "Egedit.executable". When still in Explorer's
window, double click the Egedit renamed file and it won't execute, as expected.

Prepare now for a little surprise! Open the CMD shell (by executing CMD from
the desktop 'run' menu), change to XP's base directory (..\WINNT by default) and
issue the command DIR EGEDI* from the command line. The system will return
EGEDIT~1.EXE. Type now just EGEDIT~1, with no extension name, and then press
Enter. REGEDIT will open normally!

What the above experiment shows is that the Explorer and CMD shells, do parse
file and extension names quite differently and whether a file is considered an
executable depends on the parser.

All that your experiment tells is that Antivir PE interprets just the first
three characters of the extension name in order to determine whether the file
type is in the list of extensions that need be verified. Nothing beyond that.

If you want to be safe, then change the extension name to EX~, DL~, SC~ for
castrated exe, dll, and scr, respectively, rather than appending the original
extension name, like you did.

Don't forget to delete Egedit when done with the experiment (Windows will keep
the protected original file, and rename a copy).

Regards, Zvi

 

[Zvi Netiv]

Not true, that's what SOME Av products will do if you rename the file.
We have our AV software set to scan EVERY file on access,

Overkill, and time wasteful.

except the
database and exchange store files (as defined by MS and the Av
provider), but if you were to rename myvirus.exe to myvirus.txt, it
would still be detected as a virus.

Good settings for any AV product would be to scan all files accessed.

God forbid.

Regards

 

[Leythos]

Overkill, and time wasteful.

Depends on the environment, not everyone has data they don't care about.

God forbid.

Funny, how many networks have you designed and maintain that have NEVER
been compromised?

 

[Dustin Cook]

That's great for them and you - not being snide here, but, as I said
before, never seen a false positive on more than 1500 systems, and we'll
continue to use it scanning all files on access.

I have no problems with what you do. I was just stating what the
majority of those on both sides professionally feel. You know, the guys
who write the viruses, and the guys who write the products that hunt
for them. You wouldn't be the first end-user to assume he/she knows
better how to use a product then it's creators tho.

Regards,
Dustin Cook

 

[David H. Lipman]

From: "Leythos" <[email protected]>

|
| That's great for them and you - not being snide here, but, as I said
| before, never seen a false positive on more than 1500 systems, and we'll
| continue to use it scanning all files on access.
|

{ just to stir the pot a bit... }

Since I monitor many virus News Groups, including Symantec's, I have come across *many*
False Positive declarations from many AV vendors.

I recently (10/6) dealt with one situation by Symantec in reference to; iun6002.exe which
was falsely declared as a Trojan.Dropper.

Then there was the case of Symantec falsely declaring Backdoor.Graybird (9/16) in was a temp
file created by Spy Sweeper.

I'm still wondering when Avast will stop falsely declaring the VBS/RedLof in Trend Micro's
sysclean utility.