Running program files with non-executable extensions?

[JS]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in XP which might truncate the letters in a
file's extension after the first three letters?

 

[bxf]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in XP which might truncate the letters in a
file's extension after the first three letters?

The obvious guess is that since extensions are typically three
characters, the programmer who wrote AntiVir PE wrote the COMPARE
instruction to look at only the first three characters.

 

[Jerold Schulman]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

See tip 0014 » Windows NT Short File Extensions.
in the 'Tips & Tricks' at http://www.jsifaq.com

REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /V Win95TruncatedExtensions

Yours is set to 1, the default for XP.

To set it to 0,
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /V Win95TruncatedExtensions /T REG_DWORD /F /D 0


Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Plato]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

Where did you get it from?

 

[David Candy]

Rename bluesky.exe it anything you want. Like fred.ttxt. Drag it to a command prompt and press enter.

It has to be an unrecognised extension.

Ditto rename a word document to no extension or a unknown one,. Dbl click it.

 

[Wayne Tilton]

Rename bluesky.exe it anything you want. Like fred.ttxt. Drag it to a
command prompt and press enter.

It has to be an unrecognised extension.

Ditto rename a word document to no extension or a unknown one,. Dbl
click it.

If you want to see something really scary, copy something like calc.exe
to a new file named 'abazaba.txt' and in a command prompt, type in
'abazaba.txt' and watch Calc open. The command prompt looks into
'abazaba.txt' and determines that it is really an executable so it
launches it. Explorer respects the extension and opens it in Notepad,
cmd.exe doesn't.

Same thing happens with any file launched from a command prompt. So, the
concept of "safe files" (e.g. jpg) is only as safe as how you open it.
Microsoft says it is working as designed. I say it is broken as designed
(B.A.D.).

Wayne