.PIF files not scanned by NAV

[maradcliff]

I have been getting a barrage of junk emails with .PIF files attached.
This PIF is the same file each time, but always has a different name.
I know these are viruses of some sort, and I never open them.
However, Norton Anti Virus does not identify them as viruses. I
selected SCAN ALL FILES in that directory. I have the latest virus
definitions within a week or so. Why is NAV not finding these as
viruses?

Also, how are .PIF files enabled? I know they are a dos file, and are
destructive (or can be). If I were to click on them, what would
happen? I am not going to try, in fact I plan to delete them, but am
saving one on a floppy so I can find out what they are.

Thanks

Mark

 

[null]

I have been getting a barrage of junk emails with .PIF files attached.
This PIF is the same file each time, but always has a different name.
I know these are viruses of some sort, and I never open them.
However, Norton Anti Virus does not identify them as viruses. I
selected SCAN ALL FILES in that directory. I have the latest virus
definitions within a week or so. Why is NAV not finding these as
viruses?

Update NAV. There's very new strains of Netsky that use the pif
extension.

Also, how are .PIF files enabled? I know they are a dos file, and are
destructive (or can be).

They're not a DOS file. You can think of them as potentially dangerous
file extensions in the same category of "executeables" as .EXE, .COM,
..SCR and .BAT. They're Program Information Files but they can be used
to drop malware.

If I were to click on them, what would
happen?

You'd likely get infested with malware.

I am not going to try, in fact I plan to delete them, but am
saving one on a floppy so I can find out what they are.

Just delete them. Delete all such email attackments.


Art
http://www.epix.net/~artnpeg

 

[Peter]

Norton has been updated nearly everly day, this last week.

Peter

 

[Geese_Hunter]

I have been getting a barrage of junk emails with .PIF files attached.
This PIF is the same file each time, but always has a different name.
I know these are viruses of some sort, and I never open them.
However, Norton Anti Virus does not identify them as viruses. I
selected SCAN ALL FILES in that directory. I have the latest virus
definitions within a week or so. Why is NAV not finding these as
viruses?

Also, how are .PIF files enabled? I know they are a dos file, and are
destructive (or can be). If I were to click on them, what would
happen? I am not going to try, in fact I plan to delete them, but am
saving one on a floppy so I can find out what they are.

Thanks

Mark

On Xp, & probably most other Windows Op systems to change file
extensions:
Go to Explorer, then Tools, Folder Options, Then File Types, Click on
New then type in pif &/or shs , then OK it will say the extensions is
used do you want to change, say yes, You may have to find it, might be
at the top. highlight it then click change & use notepad, then ok &
then close if you are done. I've also changed my vbs, vbe, hta, &
another that I can't recall.

 

[FromTheRafters]

Also, how are .PIF files enabled?

By double clicking them?

What do you mean by "enabled", do you wish to create one?

You can do so by using the "properties" choice from the pulldown
menu of a dos filetype (program tab ~ advanced button), or on the
earlier Windows versions by using the PIF editor.

I know they are a dos file, and are destructive (or can be).

Can be, and I would say that they are Windows files which can
be used to contain clues for the setting up of a DOS session to
run a DOS program.

Start ~ Help ~ .pif files

If I were to click on them, what would happen?

They function similar to the way a shortcut (lnk) file does in that
they point to a target file to be run, but in addition they may handle
some prerequisites (such as running an "autoexec.bat" and/or a
"config.sys" to get the environment ready for the program it is
pointing to).

I am not going to try, in fact I plan to delete them, but am
saving one on a floppy so I can find out what they are.

It might not be a *real* pif file, only an executable file renamed
to pif. The OS can still treat it as an exe if it is an exe renamed.
If someone renames "killbox.exe" to "luvya.txt.pif" it might get
displayed as "luvya.txt" with the pif extension hidden from view.
Then double clicking on the innocent looking "luvya.txt" file will
send the executable file to the Windows executable file loaders
to see if any loader recognizes it as something it is designed to
handle. The exe loader recognizes it from its header information
and loads it for execution.

....at least this is how I think it happens - maybe someone else
can explain it better.

Trying to open a piffile in an editor from within Windows always
seems to open the target file rather than the piffile, but in DOS
with "edit.com" you can see *some* of the innards.

 

[maradcliff]

By double clicking them?

What do you mean by "enabled", do you wish to create one?

You can do so by using the "properties" choice from the pulldown
menu of a dos filetype (program tab ~ advanced button), or on the
earlier Windows versions by using the PIF editor.


Can be, and I would say that they are Windows files which can
be used to contain clues for the setting up of a DOS session to
run a DOS program.

Start ~ Help ~ .pif files


They function similar to the way a shortcut (lnk) file does in that
they point to a target file to be run, but in addition they may handle
some prerequisites (such as running an "autoexec.bat" and/or a
"config.sys" to get the environment ready for the program it is
pointing to).


It might not be a *real* pif file, only an executable file renamed
to pif. The OS can still treat it as an exe if it is an exe renamed.
If someone renames "killbox.exe" to "luvya.txt.pif" it might get
displayed as "luvya.txt" with the pif extension hidden from view.
Then double clicking on the innocent looking "luvya.txt" file will
send the executable file to the Windows executable file loaders
to see if any loader recognizes it as something it is designed to
handle. The exe loader recognizes it from its header information
and loads it for execution.

...at least this is how I think it happens - maybe someone else
can explain it better.

Trying to open a piffile in an editor from within Windows always
seems to open the target file rather than the piffile, but in DOS
with "edit.com" you can see *some* of the innards.

Yep, I updated my definitions and found they are the W32.netsky.d@mm
virus. I guess that is a new one, but looking at the actual virus
using dos edit.com, It appears it was dated 1999. NAV does not give
any useful info about this virus, as far as what it does.

Mark

 

[FromTheRafters]

Yep, I updated my definitions and found they are the W32.netsky.d@mm
virus. I guess that is a new one,

New one day, but by the next day it may be several versions old.
The variants have been coming out in rapid fire succession.

...but looking at the actual virus
using dos edit.com, It appears it was dated 1999. NAV does not give
any useful info about this virus, as far as what it does.

Hopefully, it didn't *do* anything. ;o)