File types that can be bypassed during virus scans

[Virus Guy]

Can the following file types pose a threat to systems running Win-98
if they are indeed viral but are bypassed during virus scans:

*.jpg
*.gif
*.tif
*.bmp
*.txt
*.cdr (corel draw files)
*.crw (raw image files for Canon digital cameras)
*._dd (checkdisk or ndd file fragments)
*.pdf
*.hlp
*.mdb
*.xls (if running Office 2000 Premium SR1 fully updated via
micro$loth's office update, what threats do .xls or .doc
files pose at this point? Powerpoint files?)
*.mix (microsoft photo-draw picture?)
*.mpg (any known vulnerability in .mpeg, .mov, or .avi files?)
*.avi
*.mov
*.cab
*.wav

I know that any virus or trojan can be packaged or stored in any file
with any file extension, and that files with extensions com, exe, scr,
vbs, etc mean something very specific when handed over to the OS (like
execution vs opening with a linked viewer).

For example, if a .txt file is viral, and if it is "activated" by some
means (double-clicking on it, or auto-opening in a preview pane in
Outlook, etc) then in the case of .txt files that activation usually
means to open it in wordpad or notepad. So can a viral payload in a
..TXT file be activated by opening with the standard viewer?

I pose the same question for all the above file types. Can activation
or opening of any of the above with the standard viewing or linked
program cause an imbedded viral payload to be run or executed?

If the answer depends on the OS, then the OS in question is Win 98se
running MS office 2000 Premium SR1.

(don't bother to reply if your answer is to simply scan all files,
because that tells me nothing about how to configure NAV to bypass
files that pose no threat but can trememdously increase system scan
times needlessly).

 

[David H. Lipman]

*.jpg <--- Yes
*.gif <-- No
*.tif <-- No
*.bmp <-- No
*.txt <-- No
*.cdr (corel draw files) <-- No
*.crw (raw image files for Canon digital cameras) <-- No
*._dd (checkdisk or ndd file fragments) <-- No
*.pdf <-- Yes
*.hlp <-- Yes
*.mdb <-- Yes
*.xls (if running Office 2000 Premium SR1 fully updated via
micro$loth's office update, what threats do .xls or .doc
files pose at this point? Powerpoint files?)
*.mix (microsoft photo-draw picture?) <-- Yes
*.mpg (any known vulnerability in .mpeg, .mov, or .avi files?) <-- No
*.avi <-- No
*.mov <-- No
*.cab <-- Yes
*.wav <-- No

The following is the McAfee ENGINE v4400 Default File extension scan list...

DL? EX? ACM ADE ADP ADT AP? ASA ASD ASP AX? B64 BA? BIN BMP

BO? CGI CC? CDX CEO CHM CLA CMD CNV CO? CPL CPT CPY CRT CSC

CSS DAT DEV DOC DOT DRV EE? EFV EML FDF FMT FO? FPH FPW GWI

HDI HHT HLP HT? HWD IM? IN? ISP ITS JAR JP? JS? LGP LNK LWP

LIB M3U MBR MB0 MB1 MB2 MD? MHT MOD MPD MRC MS? NEW NWS OB?

OC? OL? OV? PCD PCI PD? PF? PHP PI? PLG PRC QLB QPW QTC RAR

REG RMF RTF SCR SCT SH? SIS SMM SPL SRF SYS SWF TFT TLB TSP

VBS VB? VVV VWP VXD URL UNP WIZ WMV WP? WRL WRZ WS? X32 XML

XRF XSL XTP XX? ZI? Z0M ZL? ZZZ 001 002 386 3GR {?? ACE ARC

ARJ BZ? CAB COM EXE ICE LZH NAP PPZ TAR TAZ TBZ TD0 ZIP Z??

GZ? TGZ ??_ DO? XL? CDR CSV D?B DIF DQY GF? GIM GIX GMS GNA

GW? ICS IQY MPP MPT MSG MSO OLE OTM PDF POT PP? PWZ QQY RQY

SKV SLK UUU VS? WBK WRI


BTW: Office 2000 is at SP3 level.

--
Dave




| Can the following file types pose a threat to systems running Win-98
| if they are indeed viral but are bypassed during virus scans:
|
| *.jpg
| *.gif
| *.tif
| *.bmp
| *.txt
| *.cdr (corel draw files)
| *.crw (raw image files for Canon digital cameras)
| *._dd (checkdisk or ndd file fragments)
| *.pdf
| *.hlp
| *.mdb
| *.xls (if running Office 2000 Premium SR1 fully updated via
| micro$loth's office update, what threats do .xls or .doc
| files pose at this point? Powerpoint files?)
| *.mix (microsoft photo-draw picture?)
| *.mpg (any known vulnerability in .mpeg, .mov, or .avi files?)
| *.avi
| *.mov
| *.cab
| *.wav
|
| I know that any virus or trojan can be packaged or stored in any file
| with any file extension, and that files with extensions com, exe, scr,
| vbs, etc mean something very specific when handed over to the OS (like
| execution vs opening with a linked viewer).
|
| For example, if a .txt file is viral, and if it is "activated" by some
| means (double-clicking on it, or auto-opening in a preview pane in
| Outlook, etc) then in the case of .txt files that activation usually
| means to open it in wordpad or notepad. So can a viral payload in a
| .TXT file be activated by opening with the standard viewer?
|
| I pose the same question for all the above file types. Can activation
| or opening of any of the above with the standard viewing or linked
| program cause an imbedded viral payload to be run or executed?
|
| If the answer depends on the OS, then the OS in question is Win 98se
| running MS office 2000 Premium SR1.
|
| (don't bother to reply if your answer is to simply scan all files,
| because that tells me nothing about how to configure NAV to bypass
| files that pose no threat but can trememdously increase system scan
| times needlessly).

 

[Julian]

Can the following file types pose a threat to systems running Win-98
if they are indeed viral but are bypassed during virus scans:

*.jpg
*.gif
*.tif
*.bmp
*.txt
*.cdr (corel draw files)
*.crw (raw image files for Canon digital cameras)
*._dd (checkdisk or ndd file fragments)
*.pdf
*.hlp
*.mdb
*.xls (if running Office 2000 Premium SR1 fully updated via
micro$loth's office update, what threats do .xls or .doc
files pose at this point? Powerpoint files?)
*.mix (microsoft photo-draw picture?)
*.mpg (any known vulnerability in .mpeg, .mov, or .avi files?)
*.avi
*.mov
*.cab
*.wav

I know that any virus or trojan can be packaged or stored in any file
with any file extension, and that files with extensions com, exe, scr,
vbs, etc mean something very specific when handed over to the OS (like
execution vs opening with a linked viewer).

For example, if a .txt file is viral, and if it is "activated" by some
means (double-clicking on it, or auto-opening in a preview pane in
Outlook, etc) then in the case of .txt files that activation usually
means to open it in wordpad or notepad. So can a viral payload in a
.TXT file be activated by opening with the standard viewer?

I pose the same question for all the above file types. Can activation
or opening of any of the above with the standard viewing or linked
program cause an imbedded viral payload to be run or executed?

If the answer depends on the OS, then the OS in question is Win 98se
running MS office 2000 Premium SR1.

(don't bother to reply if your answer is to simply scan all files,
because that tells me nothing about how to configure NAV to bypass
files that pose no threat but can trememdously increase system scan
times needlessly).

If the file exploits a buffer overrun flaw in the application associated
with opening it, then yes it is a potential threat. On that basis, just
about all of those files except .txt could harbour a virus.

There are actually two ways to start a process under Windows. One, which
works when you open a file using the Windows shell, actually uses the
file extension association mechanism. That mechanism can and has been
exploited by a few viruses in order to activate themselves when you run
any executable. (It is also exploited by my Windows shell for F-Prot for
DOS in order to provide a limited form of on-access scanning using a
command-line scanner.)

The other method uses Windows API calls and can be invoked only by a
program. A program can load an executable image from any kind of file so
any file that starts with the EXE header "MZ", whatever its extension,
could be an executable file and therefore potentially a virus.

 

[Art]

Can the following file types pose a threat to systems running Win-98
if they are indeed viral but are bypassed during virus scans:

*.jpg
*.gif
*.tif
*.bmp
*.txt
*.cdr (corel draw files)
*.crw (raw image files for Canon digital cameras)
*._dd (checkdisk or ndd file fragments)
*.pdf
*.hlp
*.mdb
*.xls (if running Office 2000 Premium SR1 fully updated via
micro$loth's office update, what threats do .xls or .doc
files pose at this point? Powerpoint files?)
*.mix (microsoft photo-draw picture?)
*.mpg (any known vulnerability in .mpeg, .mov, or .avi files?)
*.avi
*.mov
*.cab
*.wav

I know that any virus or trojan can be packaged or stored in any file
with any file extension, and that files with extensions com, exe, scr,
vbs, etc mean something very specific when handed over to the OS (like
execution vs opening with a linked viewer).

For example, if a .txt file is viral, and if it is "activated" by some
means (double-clicking on it, or auto-opening in a preview pane in
Outlook, etc) then in the case of .txt files that activation usually
means to open it in wordpad or notepad. So can a viral payload in a
.TXT file be activated by opening with the standard viewer?

I pose the same question for all the above file types. Can activation
or opening of any of the above with the standard viewing or linked
program cause an imbedded viral payload to be run or executed?

If the answer depends on the OS, then the OS in question is Win 98se
running MS office 2000 Premium SR1.

(don't bother to reply if your answer is to simply scan all files,
because that tells me nothing about how to configure NAV to bypass
files that pose no threat but can trememdously increase system scan
times needlessly).

All MS Office files should be scanned for macro viruses and embedded
Trojans. Multimedia files should also be scanned since there's hardly
a player out there that hasn't had known vulnerabilites.

If you're talking about realtime scanning, and you otherwise scan
thoroughly on-demand before backup, you could skip archive scanning.
And if you use a sane email app (not OE) you can skip scanning of
email and email archives. If you use something like Irfan View for pic
image files like JPG, GIF, BMP, etc., you can skip scanning those.
Associate TXT files with Notepad and skip scanning those. In fact,
if you discipline yourself to scan downloads on demand, I see no
reason to scan multimedia files or Office files realtime. Get in the
habit of using more than one good av on-demand. There are several
good ones that are free.


http://home.epix.net/~artnpeg

 

[James Egan]

BTW: Office 2000 is at SP3 level.

FYI O2KSP2 silently screws some pirate versions of O2K which SP1
doesn't. From a virus point of view there is a bug in SP1 and earlier
versions which will allow some macros to run automatically without
being challenged (by the "ask" default settings). Other than that if
he sticks with sp1 he should be fine.


Jim.

 

[David H. Lipman]

Thanx for that James !

--
Dave




| On Thu, 17 Feb 2005 15:54:23 GMT, "David H. Lipman"
|
| >BTW: Office 2000 is at SP3 level.
|
| FYI O2KSP2 silently screws some pirate versions of O2K which SP1
| doesn't. From a virus point of view there is a bug in SP1 and earlier
| versions which will allow some macros to run automatically without
| being challenged (by the "ask" default settings). Other than that if
| he sticks with sp1 he should be fine.
|
|
| Jim.
|