Running program files on XP with non-executable extensions?

[JS]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in my XP Pro which might truncate the letters
in a file's extension after the first three letters?



--

MS security groups:
microsoft.public.security
microsoft.public.security.virus
microsoft.public.windowsxp.security_admin

 

[Anonymous]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in my XP Pro which might truncate the letters
in a file's extension after the first three letters?

This is an oddity with the anti-virus guard as far as I think.
The file should not get executed if the extension is changed.

!Anonymous!

 

[David H. Lipman]

From: "JS" <[email protected]>

| I downloaded a file (let's call it BLUESKY.EXE) which my anti-
| virus guard says may be a virus.
|
| I wanted to get more info about this file, so I disabled it by
| adding a couple of random letters to the extension.
|
| I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
|
| I figured this would stop XP from running it if I double clicked
| it in error. But my antivirus guard 'AntiVir PE' warned me about
| it again. Even with the dummy extension letters. Surely such a
| program file is now safe enough?
|
| --
|
| I found that if I put the random letters *before* the EXE then
| 'AntiVir PE' did not detect it as a virus.
|
| So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
|
| Is this just an oddity in 'AntiVir PE' or is this being done
| because of something in my XP Pro which might truncate the letters
| in a file's extension after the first three letters?
|

Please submit a sample of "BLUESKY.EXE" to Virus Total --
( or the renamed file )
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

 

[Scherbina Vladimir]

When you change file's extension it's contense is not changed, *and* its
still a virus.

 

[Steven L Umbach]

That is a dangerous game to play. If you want to protect the computer then
use Software Restriction Policy to create a path rule to the folder where
you keep such files with a disallowed security level and a hash rule for
that file for disallowed. If you want to see what suspicious files will do
and have a spare computer or a removable hard drive tray then use a test
setup of the operating system that you have an image for to run the file.
That way you can always restore the image when done to insure you are back
to baseline. Registry snapshot programs are helpful in seeing what is being
done to an operating system when exploring such and free tools such as
filemon from SysInternals are helpful also. --- Steve

 

[Vanguard \(NPI\)]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in my XP Pro which might truncate the letters
in a file's extension after the first three letters?

Windows may only recognize and use the FIRST 3 characters after the LAST
period character (".") in a filename to match against a filetype
association. So, for example, renaming a file from BLUESKY.EXE to
BLUESKY.EXE_OLD or BLUESKY.EXEVIRUSINFECTED won't work to prevent
"accidental" double-clicks or executes of the file. Instead rename it to
BLUESKY.EXE.OLD, BLUESKY.EXE.TXT, BLUESKY.OLD, BLUESKY.OLDEXE, BLUESKY.EXX,
or BLUESKY.TXT.

A virally infected file is still a virally infected file regardless of
whatever filename and extension you use. It wouldn't matter if the file
were renamed to REDDAWN_BADFILE (with no extension) or KILLINGME.SOFTLY.
The filename has nothing to do with the content of the file. If it was
infected, it will still be infected after a rename.

If AntiVir warns you that a file is infected when it had an .exe extension
and then says it is okay when you rename it (to anything) would mean AntiVir
is a worthless anti-virus product. While it doesn't provide great coverage
(94% on average, which isn't great, and only 76% for Windows viruses; see
http://www.av-comparatives.org), I really doubt that it gives a gnat's fart
about the file's name and that it instead interrogates the *content* of the
file to detemine if infected or not.

By the way, the sigdash ("-- ") marks your SIGNATURE, not some further
update information section. In your case, the trailing space was missing
but some newsreaders don't require it. It is not an RFC-defined standard
but a de facto standard, and it denotes that what follows is your signature.
Some newsreaders can be configure to ignore signatures (and not display
them), and most will strip out signatures from replies (so a portion of your
post will be lost). Although "News-Agent: OE 6.00.2800" is in your headers,
that is not a header added by Outlook Express (i.e., it is a lie). It is
not even a valid header, nor is it an X-header (meaning a non-standard
header meaningful usually only to the NNTP client or server that added it).
My guess is that you posted in a forum and your forum uses an NNTP gateway
to repost to Usenet. But it also means your forum admin is adding an
invalid and fraudulent header, and that it is not also identifying that the
original post came through a forum's NNTP gateway.

 

[Guest]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in my XP Pro which might truncate the letters
in a file's extension after the first three letters?



--

MS security groups:
microsoft.public.security
microsoft.public.security.virus
microsoft.public.windowsxp.security_admin

 

[Mark Randall]

Right Click > Properties > Security > Uncheck Execute for everyone >> Apply

Play to your hearts content.

--
- Mark Randall
http://zetech.swehli.com

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov

 

[Anonymous]

Right Click > Properties > Security > Uncheck Execute for everyone >> Apply

Play to your hearts content.

I cannot understand what do you mean where to right click? I right
clicked on an .exe
file and I did not get any security tab in properties.

--
- Mark Randall
http://zetech.swehli.com

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov

I tested a few .exe files on my windows xp system; however, I did not
get them execute after
I renamed the extension in any way whether appending letters at the
end, in beginning, etc.
I cannot understand, how someone said that the file still executes even
if you append characters
to the file extension. Somebody please confirm this.

However, the only exception is of some system files in /windows and
/windows/system32 folders.
For example, if you rename notepad.exe to something else, and then try
to run notepad, windows
will regenerate the file again named as notepad.exe.

Notwithstanding above, I agree that a virus *is* a virus even if
renamed, moved to recycle bin, etc.

Thanks in advance

 

[Mark Randall]

You need to have advanced file permissions enabled.

If you are screwing about with viruses presumably you are running on a Pro
version of an OS.

--
- Mark Randall
http://zetech.swehli.com

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov

 

[Dustin Cook]

I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

--

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in my XP Pro which might truncate the letters
in a file's extension after the first three letters?

Ehm... You really can't trust this with windows. I know for sure via
console filename isn't important, it can still be executed. I know if you
set it via a registry run key it will execute fine, regardless of named
extension. To ehh, be safe, don't double click on them. Treat them as
live rounds..

AntiVir PE is going by filename extension to determine if it should scan
the file. A decision on it's programmers part. One I disagree with, for
reasons like you found.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.1
web: http://bughunter.it-mate.co.uk
email: (e-mail address removed)
Last updated: January 25th, 2007

 

[Dustin Cook]

You need to have advanced file permissions enabled.

If you are screwing about with viruses presumably you are running on a
Pro version of an OS.

Better to play in vmware... if this is the case...


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.1
web: http://bughunter.it-mate.co.uk
email: (e-mail address removed)
Last updated: January 25th, 2007

 

[Guest]

IE does MIME snooping as well. It looks at the first few bytes of a file to
determine what type it really is. If the file header starts with MZ it is a
pretty sure bet it is a PE image file. This can be disabled on Windows Vista,
but I don't think it can on XP.

BTW, if your AV program can't detect a virus that has had its extension
modified with just two letters on the front I would consider a new AV program.

 

[Roger Abell [MVP]]

For IE there is a setting in the security options (not sure when
this showed up, perhaps IE6 SP1) named
Misc\Open files based on content, not file extension
Of course it does not impact the Explorer behaviors of post
(save perhaps if file had been downloaded?).

Roger

 

[Alun Jones [MS-MVP - Windows Security]]

IE does MIME snooping as well. It looks at the first few bytes of a file
to
determine what type it really is. If the file header starts with MZ it is
a
pretty sure bet it is a PE image file. This can be disabled on Windows
Vista,
but I don't think it can on XP.

BTW, if your AV program can't detect a virus that has had its extension
modified with just two letters on the front I would consider a new AV
program.

You're thinking too hard.

The reason the AV program sees this as an EXE is that it is still an EXE:

C:\Temp>copy nul foo.exehj
1 file(s) copied.

C:\Temp>dir /x foo*
Volume in drive C has no label.
Volume Serial Number is ACBD-3ABF

Directory of C:\Temp

01/29/2007 08:26 PM 0 FOO~1.EXE foo.exehj
1 File(s) 0 bytes
0 Dir(s) 5,177,344 bytes free

See that - the short file name of "foo.exehj" is "FOO~1.EXE", so (thanks to
the creation of a backwards-compatible "8.3" name) foo.exehj is also
FOO~1.EXE, and will run as an EXE.

Alun.
~~~~