Wirtualna Polska's antivirus program??

[Boris Badenuff]

I got the bogus "Microsoft Security Update" with a virus in it in a webmail
account of mine, but what was interesting was the advisory note at the
bottom of the message:

---------------------------------------------------------------
Warning !!! The attachment's filename has been changed!
---------------------------------------------------------------
Anti-Virus Scanner of Wirtualna Polska mail system has changed the name of
attachment, which can contain a virus. The last dot character in its
filename has been changed to underscore, in order to avoid automatic
execution of the attachment included in the mail
message.

 

[Nick FitzGerald]

This is the second time I have read about this in here. I like
this idea also. I don't think it is an anti-virus program per se,
but a detection of the double extension that is being detected.
If their AV had detected a virus, it probably would have given
a name rather than just stating that it "..can contain a virus.".

I have received several of these in the last few weeks. They have all
originated from Polish sites.

But, it is not just "double-extensions" -- it seems that any attachment
with an "undesirable" extension is "renamed" by this simple one-character
substitution.

I'm not saying that the "Anti-Virus Scanner of Wirtualna Polska
mail system" isn't an AV, only that detecting double extensions
is trivial compared to anti-virus scanning, and worse things than
viruses can be contained within such named files.

Yep.

_And_ simply renaming as such does not completely work either. I refer
again to the case of "properly registered' file types that have OLE2-
based file formats. Simply removing the extension (which is effectively
what this trick does) or renaming them to an unregistered extension
leaves them perfectly "usable" by double-clicking as the Windows
(Explorer?) "we're starting a file of unknown type" process checks the
file format and if its an OLE2 format then checks the CLSID of the OLE2
root directory and will start whatever application (if any) that is
registered to handle that CLSID. Worse, there are actually situations
on some of the later NT-based OSes where the same can happen for EXE
files that are non-extensioned or renamed to non-registered extensions.

 

[null]

Yep.

_And_ simply renaming as such does not completely work either. I refer
again to the case of "properly registered' file types that have OLE2-
based file formats. Simply removing the extension (which is effectively
what this trick does) or renaming them to an unregistered extension
leaves them perfectly "usable" by double-clicking as the Windows
(Explorer?) "we're starting a file of unknown type" process checks the
file format and if its an OLE2 format then checks the CLSID of the OLE2
root directory and will start whatever application (if any) that is
registered to handle that CLSID. Worse, there are actually situations
on some of the later NT-based OSes where the same can happen for EXE
files that are non-extensioned or renamed to non-registered extensions.

But what about renaming to a extension such as .TXT which will in a
vast majority of cases result in the file being opened in Notepad or
perhaps a different text editor the user may use? A file too large for
Notepad will just result in a error.

Art
http://www.epix.net/~artnpeg

 

[James Egan]

But what about renaming to a extension such as .TXT which will in a
vast majority of cases result in the file being opened in Notepad or
perhaps a different text editor the user may use? A file too large for
Notepad will just result in a error.

Try re-naming the suffix of one of your word documents to (say) .x56
instead of .doc and then double clicking it. Renaming will make no
difference to it being opened by ms word unless you have some other
package already registered for .x56


(IIRC Bart Bailey has a reg hack solution for all unregistered
suffixes)

Jim.

 

[null]

Try re-naming the suffix of one of your word documents to (say) .x56
instead of .doc and then double clicking it. Renaming will make no
difference to it being opened by ms word unless you have some other
package already registered for .x56

True, but renaming to .TXT opens it in Notepad

(IIRC Bart Bailey has a reg hack solution for all unregistered
suffixes)

Hadn't seen that. What does it do?

Art
http://www.epix.net/~artnpeg

 

[Bart Bailey]

True, but renaming to .TXT opens it in Notepad

Hadn't seen that. What does it do?

Art
http://www.epix.net/~artnpeg

I can't seem to find it right now, but it basically opens everything in
notepad that isn't registered to something else. In my case notepad is
mapped to UltraEdit, so any strange extension, or no extension invokes
the hexeditor.
It's an old windows tweak,
(should be out there somewhere),
I didn't create it, just found it once.

Bart

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

(IIRC Bart Bailey has a reg hack solution for all unregistered
suffixes)

OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Bart

 

[me]

On that special day, Boris Badenuff, ([email protected]) said...


I don't know, but sadly it doesn't work against morons. Although I sent
several complaints to (e-mail address removed), the same infected machine is sending
me Gibes again and again. By now it has been more than three months.

Gabriele Neukam

(e-mail address removed)

--
"Mom, there is a spider in the bathroom!"
"Are you sure?" - "Yes!"
"How many legs has it got?"
"I can't tell - but they are all dangling from a thread!" (c): RL

Hi Gabriele,

Did you try
(e-mail address removed)
?

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

 

[null]

In Message-ID:<[email protected]> posted on

(IIRC Bart Bailey has a reg hack solution for all unregistered
suffixes)

OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Thanks. Hadn't thought of doing that sort of thing. Extensionless
files that are plain ASCII text files will Open in Notepad by
duh-fault anyway, but it hadn't occured to me that the OS will Open
other extensionless files according to their header or format.



Art
http://www.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, (e-mail address removed), ([email protected]) said...

Did you try
(e-mail address removed)

Sure, it was that address (I wrote it down from memory). They give me a
trouble ticket, and the the worm spams on happily ever after.


Gabriele Neukam

(e-mail address removed)

 

[me]

On that special day, (e-mail address removed), ([email protected]) said...



Sure, it was that address (I wrote it down from memory). They give me a
trouble ticket, and the the worm spams on happily ever after.

Gabriele Neukam

(e-mail address removed)

Hehe, and the ticket's all you'll get from them (my experience
w/ their spamming "investigations"). :-/

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

 

[Nick FitzGerald]

But what about renaming to a extension such as .TXT which will in a
vast majority of cases result in the file being opened in Notepad or
perhaps a different text editor the user may use? ...

In general that is correct. Although I can imagine a few possible problem
cases, they provide lower risk than the "change the dot" approach.

... A file too large for
Notepad will just result in a error.

Well, depends on the OS -- "real" versions of Windows don't have that silly
32KB (??) limit on Notepad.

 

[Nick FitzGerald]

Try re-naming the suffix of one of your word documents to (say) .x56
instead of .doc and then double clicking it. Renaming will make no
difference to it being opened by ms word unless you have some other
package already registered for .x56

This is the kind of thing I was referring to.

However note that the issue that started this thread is actually a process
that takes the more dangerous approach of changing the dot. This renders
message attachments deemed to have "bad" types (by the name of their
extensions) "extentionless", except in the case of files that have dots in
the filename part of their names -- does anyone know what this scanner
does in such cases? In fact, does anyone know what this scanner is?

(IIRC Bart Bailey has a reg hack solution for all unregistered
suffixes)

Tweaking the values of the root file type "Unknown" changes how files of
non-registered types are handled.

 

[FromTheRafters]

This is the kind of thing I was referring to.

However note that the issue that started this thread is actually a process
that takes the more dangerous approach of changing the dot. This renders
message attachments deemed to have "bad" types (by the name of their
extensions) "extentionless", except in the case of files that have dots in
the filename part of their names -- does anyone know what this scanner
does in such cases?

From the text of the OP's e-mail, it says the *last* dot
character is changed (I assumed, evidently wrongly, that
this meant that more than one dot character was found).
Evidently they didn't look to deeply into any possible
implications that would arise from this scheme.

 

[Grazyna]

FromTheRafters wrote in message

Hello,
I've been reading this group for some time now and find it both edifying and
amusing, which is a perfect combination ;-).
On this particular occasion, it is an advantage to be a native speaker of
Polish, like myself. After having made some investigations in an appropriate
Polish NG, I'm now able to answer a few of the questions which have been
asked in this thread.

This is the second time I have read about this in here. I like
this idea also.

You wouldn't, if you knew how it worked ;-)

I don't think it is an anti-virus program per se,

You score a point on this one.

but a detection of the double extension that is being detected.

Half a point this time - it's not only double extensions, the scanner takes
care of all undesirable extensions, but in a rather dumb manner (which you
and the others have actually figured out by now).

If their AV had detected a virus, it probably would have given
a name rather than just stating that it "..can contain a virus.".

It sometimes does. I was prompted in the Polish NG to send an email to an
account at Wirtualna Polska with an empty file attachment named something
like blah.pif.exe , which I did. The mail bounced. The intended recipient
wasn't notified (it goes without saying that I had obtained his consent
prior to my non-scientific tests, though ;-)). As for myself, I got a short
email from WP's auto-responder (with my original headers forwarded to me),
telling me that my message had contained I-Worm.Sircam.c, had hence not been
delivered, but removed from their server instead. I was also urged to back
up my data immediately and to install the most recent AV ;-).
The person who suggested this test to me had learnt about it due to checking
a scared customer's machine for viruses under similar circumstances (an
I-Worm.Sircam.c notification from WP's auto-responder, this time,
unfortunately, in a real environment). The machine turned out to be clean,
so after some additional testing the service person asked WP what was going
on. The sobering answer was that the scanner was just "matching" the
attachment's name to those of viruses spreading through email, and it was
indeed possible that a clean file would be recognized as a virus. WP's
advice was to choose file names which wouldn't match those of viruses. Zip
and rar archives were suggested as being safe in this regard (i.e. safe
names).

I'm not saying that the "Anti-Virus Scanner of Wirtualna Polska
mail system" isn't an AV,

Well, it obviously isn't.
I haven't got an account at Wirtualna Polska, but have had a look at their
site. The online help only states that the antivirus scanner WPSecure
protects the mail accounts against viruses, and that both incoming and
outgoing emails are being taken care of in that way. The scanner is a
built-in feature of their mail system and gets constantly updated as new
viruses appear, that's all they are willing to tell you. And they do
exaggerate.

As you know by now, this so-called protection is at best rudimentary (good
enough, perhaps, in case of spam - the recipient gets a warning and no harm
is done). It can be a source of unjustified alarm in cases like the one
described above. Someone in the Polish NG has pointed out (and I agree with
him) that in case of such false alerts from the scanner the user, especially
an inexperienced one, would tend to blame his regular AV for not being able
to detect a virus allegedly present on his machine. OTOH, after a few false
alerts of this kind, he could become unduly immunized to justified alerts
once they were there.
I somehow got to like the idea of you liking the idea of the scanner ;-) and
am now quite disappointed myself (I have even played the advocatus diaboli
in the Polish NG for a while, but there's no arguing with facts). I know
from that NG that the said scanner lets all sorts of zipped malware (Klez
and Sobig,for instance) in and out. No actual file scanning is involved,
it's just name matching. BTW, the scanner is a built-in feature, as already
said, and cannot be disabled.
A few further details can be found in my other message in this thread.

 

[FromTheRafters]

FromTheRafters wrote in message


Hello,
I've been reading this group for some time now and find it both edifying and
amusing, which is a perfect combination ;-).
On this particular occasion, it is an advantage to be a native speaker of
Polish, like myself. After having made some investigations in an appropriate
Polish NG, I'm now able to answer a few of the questions which have been
asked in this thread.


You wouldn't, if you knew how it worked ;-)

It seemed at first to be a good attempt at mitigating the effect
of some e-mail worms (especially the autoexecuting ones).
I still like the idea that measures are being investigated at the
ISP level.

You score a point on this one.


Half a point this time - it's not only double extensions, the scanner takes
care of all undesirable extensions, but in a rather dumb manner (which you
and the others have actually figured out by now).


It sometimes does. I was prompted in the Polish NG to send an email to an
account at Wirtualna Polska with an empty file attachment named something
like blah.pif.exe , which I did. The mail bounced. The intended recipient
wasn't notified (it goes without saying that I had obtained his consent
prior to my non-scientific tests, though ;-)). As for myself, I got a short
email from WP's auto-responder (with my original headers forwarded to me),
telling me that my message had contained I-Worm.Sircam.c,

This is definitely not a good thing.

had hence not been
delivered, but removed from their server instead. I was also urged to back
up my data immediately and to install the most recent AV ;-).
The person who suggested this test to me had learnt about it due to checking
a scared customer's machine for viruses under similar circumstances (an
I-Worm.Sircam.c notification from WP's auto-responder, this time,
unfortunately, in a real environment). The machine turned out to be clean,
so after some additional testing the service person asked WP what was going
on. The sobering answer was that the scanner was just "matching" the
attachment's name to those of viruses spreading through email, and it was
indeed possible that a clean file would be recognized as a virus. WP's
advice was to choose file names which wouldn't match those of viruses. Zip
and rar archives were suggested as being safe in this regard (i.e. safe
names).

Not really a good assumption on their part, but as far as I know
the archive filetype's don't autoexecute (yet) ~ so thats a plus.

Well, it obviously isn't.

Evidently not, from your account of the services methods.
I didn't want to go out on a limb and guess that the name
was so very misleading. Thanks for your investigation
into the matter.

I haven't got an account at Wirtualna Polska, but have had a look at their
site. The online help only states that the antivirus scanner WPSecure
protects the mail accounts against viruses, and that both incoming and
outgoing emails are being taken care of in that way. The scanner is a
built-in feature of their mail system and gets constantly updated as new
viruses appear, that's all they are willing to tell you. And they do
exaggerate.

Not_so_perfect.bat might be the main engine for such a system. ;o)

As you know by now, this so-called protection is at best rudimentary (good
enough, perhaps, in case of spam - the recipient gets a warning and no harm
is done). It can be a source of unjustified alarm in cases like the one
described above. Someone in the Polish NG has pointed out (and I agree with
him) that in case of such false alerts from the scanner the user, especially
an inexperienced one, would tend to blame his regular AV for not being able
to detect a virus allegedly present on his machine. OTOH, after a few false
alerts of this kind, he could become unduly immunized to justified alerts
once they were there.
I somehow got to like the idea of you liking the idea of the scanner ;-)

I was just glad to see some ISP take an action that *seemed* to
be defusing the e-mail worm without disrupting what might have
been a legitimate communication. Since you have expanded on
the methods they are using, I like them less.

and
am now quite disappointed myself (I have even played the advocatus diaboli
in the Polish NG for a while, but there's no arguing with facts). I know
from that NG that the said scanner lets all sorts of zipped malware (Klez
and Sobig,for instance) in and out. No actual file scanning is involved,
it's just name matching. BTW, the scanner is a built-in feature, as already
said, and cannot be disabled.
A few further details can be found in my other message in this thread.

Thanks for providing this additional information. If it weren't for
the unregistered extension (and extensionless) filename problems,
that renaming scheme might have had some merit.

 

[Jason]

Hmm.

 

[Grazyna]

FromTheRafters wrote in message

news:[email protected]...

I still like the idea that measures are being investigated at the
ISP level.
Ditto.
safe names).

Not really a good assumption on their part, but as far as I know
the archive filetype's don't autoexecute (yet) ~ so thats a plus.

"Yet" is the right word, I guess. Have you ever had a look at the XP's
built-in zip feature? After a single click on a zip attachment in OE, for
instance, a window pops up and you can double-click an executable, should
the archive contain any. Guess what happens... Right - the program gets
executed, you don't have to bother extracting the file (though you are also
offered an option to do so). I've checked this with a pps file and with an
exe.

I was just glad to see some ISP take an action that *seemed* to
be defusing the e-mail worm without disrupting what might have
been a legitimate communication.

So was I.

Since you have expanded on
the methods they are using, I like them less.

So do I, since the posters in the Polish NG have expanded on those methods.
BTW, the NG in question is devoted to spam-fighting, so the regulars there
would welcome a decent action on the part of ISPs in this regard.
Nevertheless, they insisted on making it clear to me (and you, for that
matter) that the expectations were unfounded in this particular case.

Thanks for providing this additional information. If it weren't for
the unregistered extension (and extensionless) filename problems,
that renaming scheme might have had some merit.

I still think it does, at least to some extent, as long as care is taken of
all "bad" extensions, which I'm unable to verify. The trick consists in
adding a .dat extension, which the scanner apparently always does by
undesirable file names in addition to changing the original dot character to
underscore. To the best of my knowledge, it's rather difficult to open a dat
file just by chance, as Windows issues a few warnings. But then, the best of
my knowledge might not be good enough.

 

[FromTheRafters]

FromTheRafters wrote in message



"Yet" is the right word, I guess. Have you ever had a look at the XP's
built-in zip feature? After a single click on a zip attachment in OE, for
instance, a window pops up and you can double-click an executable, should
the archive contain any. Guess what happens... Right - the program gets
executed, you don't have to bother extracting the file (though you are also
offered an option to do so). I've checked this with a pps file and with an
exe.

I wasn't aware of this feature, however, I did half-jokingly predict
some years ago that Microsoft would grease the wheels of zipped
malware . It is arguably not really their fault that consumers want
the ease of executing malware with little work required on their part.

So was I.


So do I, since the posters in the Polish NG have expanded on those methods.
BTW, the NG in question is devoted to spam-fighting, so the regulars there
would welcome a decent action on the part of ISPs in this regard.
Nevertheless, they insisted on making it clear to me (and you, for that
matter) that the expectations were unfounded in this particular case.
(


I still think it does, at least to some extent, as long as care is taken of
all "bad" extensions, which I'm unable to verify. The trick consists in
adding a .dat extension, which the scanner apparently always does by
undesirable file names in addition to changing the original dot character to
underscore. To the best of my knowledge, it's rather difficult to open a dat
file just by chance, as Windows issues a few warnings. But then, the best of
my knowledge might not be good enough.

..DAT, was apparently not the best choice.(is there a best choice?)