Re: Running program files on XP with non-executable extensions?

Re: Running program files on XP with non-executable extensions?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Re: Running program files on XP with non-executable extensions? Dustin Cook 01-26-2007
Posted by Dustin Cook on January 26, 2007, 1:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
66.250.146.159:

> I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> virus guard says may be a virus.
>
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
> I figured this would stop XP from running it if I double clicked
> it in error. But my antivirus guard 'AntiVir PE' warned me about
> it again. Even with the dummy extension letters. Surely such a
> program file is now safe enough?
>
> --
>
> I found that if I put the random letters *before* the EXE then
> 'AntiVir PE' did not detect it as a virus.
>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
>
> Is this just an oddity in 'AntiVir PE' or is this being done
> because of something in my XP Pro which might truncate the letters
> in a file's extension after the first three letters?
>
>
>

Ehm... You really can't trust this with windows. I know for sure via
console filename isn't important, it can still be executed. I know if you
set it via a registry run key it will execute fine, regardless of named
extension. To ehh, be safe, don't double click on them. Treat them as
live rounds.. :)

AntiVir PE is going by filename extension to determine if it should scan
the file. A decision on it's programmers part. One I disagree with, for
reasons like you found. :)


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.1
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: January 25th, 2007

Posted by =?Utf-8?B?SmVzcGVy?= on January 26, 2007, 11:06 am
If you were  Registered and logged in, you could reply and use other advanced thread options
IE does MIME snooping as well. It looks at the first few bytes of a file to
determine what type it really is. If the file header starts with MZ it is a
pretty sure bet it is a PE image file. This can be disabled on Windows Vista,
but I don't think it can on XP.

BTW, if your AV program can't detect a virus that has had its extension
modified with just two letters on the front I would consider a new AV program.

"Dustin Cook" wrote:

> 66.250.146.159:
>
> > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> > virus guard says may be a virus.
> >
> > I wanted to get more info about this file, so I disabled it by
> > adding a couple of random letters to the extension.
> >
> > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
> >
> > I figured this would stop XP from running it if I double clicked
> > it in error. But my antivirus guard 'AntiVir PE' warned me about
> > it again. Even with the dummy extension letters. Surely such a
> > program file is now safe enough?
> >
> > --
> >
> > I found that if I put the random letters *before* the EXE then
> > 'AntiVir PE' did not detect it as a virus.
> >
> > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> >
> > Is this just an oddity in 'AntiVir PE' or is this being done
> > because of something in my XP Pro which might truncate the letters
> > in a file's extension after the first three letters?
> >
> >
> >
>
> Ehm... You really can't trust this with windows. I know for sure via
> console filename isn't important, it can still be executed. I know if you
> set it via a registry run key it will execute fine, regardless of named
> extension. To ehh, be safe, don't double click on them. Treat them as
> live rounds.. :)
>
> AntiVir PE is going by filename extension to determine if it should scan
> the file. A decision on it's programmers part. One I disagree with, for
> reasons like you found. :)
>
>
> --
> Dustin Cook
> Author of BugHunter - MalWare Removal Tool - V2.1
> web: http://bughunter.it-mate.co.uk
> email: bughunter.dustin@gmail.com.removethis
> Last updated: January 25th, 2007
>

Posted by Roger Abell [MVP] on January 27, 2007, 1:45 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
For IE there is a setting in the security options (not sure when
this showed up, perhaps IE6 SP1) named
Misc\Open files based on content, not file extension
Of course it does not impact the Explorer behaviors of post
(save perhaps if file had been downloaded?).

Roger

> IE does MIME snooping as well. It looks at the first few bytes of a file
> to
> determine what type it really is. If the file header starts with MZ it is
> a
> pretty sure bet it is a PE image file. This can be disabled on Windows
> Vista,
> but I don't think it can on XP.
>
> BTW, if your AV program can't detect a virus that has had its extension
> modified with just two letters on the front I would consider a new AV
> program.
>
> "Dustin Cook" wrote:
>
>> 66.250.146.159:
>>
>> > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
>> > virus guard says may be a virus.
>> >
>> > I wanted to get more info about this file, so I disabled it by
>> > adding a couple of random letters to the extension.
>> >
>> > I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>> >
>> > I figured this would stop XP from running it if I double clicked
>> > it in error. But my antivirus guard 'AntiVir PE' warned me about
>> > it again. Even with the dummy extension letters. Surely such a
>> > program file is now safe enough?
>> >
>> > --
>> >
>> > I found that if I put the random letters *before* the EXE then
>> > 'AntiVir PE' did not detect it as a virus.
>> >
>> > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
>> >
>> > Is this just an oddity in 'AntiVir PE' or is this being done
>> > because of something in my XP Pro which might truncate the letters
>> > in a file's extension after the first three letters?
>> >
>> >
>> >
>>
>> Ehm... You really can't trust this with windows. I know for sure via
>> console filename isn't important, it can still be executed. I know if you
>> set it via a registry run key it will execute fine, regardless of named
>> extension. To ehh, be safe, don't double click on them. Treat them as
>> live rounds.. :)
>>
>> AntiVir PE is going by filename extension to determine if it should scan
>> the file. A decision on it's programmers part. One I disagree with, for
>> reasons like you found. :)
>>
>>
>> --
>> Dustin Cook
>> Author of BugHunter - MalWare Removal Tool - V2.1
>> web: http://bughunter.it-mate.co.uk
>> email: bughunter.dustin@gmail.com.removethis
>> Last updated: January 25th, 2007
>>



Posted by Alun Jones [MS-MVP - Windows S on January 29, 2007, 11:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> IE does MIME snooping as well. It looks at the first few bytes of a file
> to
> determine what type it really is. If the file header starts with MZ it is
> a
> pretty sure bet it is a PE image file. This can be disabled on Windows
> Vista,
> but I don't think it can on XP.
>
> BTW, if your AV program can't detect a virus that has had its extension
> modified with just two letters on the front I would consider a new AV
> program.


You're thinking too hard.

The reason the AV program sees this as an EXE is that it is still an EXE:

C:\Temp>copy nul foo.exehj
1 file(s) copied.

C:\Temp>dir /x foo*
Volume in drive C has no label.
Volume Serial Number is ACBD-3ABF

Directory of C:\Temp

01/29/2007 08:26 PM 0 FOO~1.EXE foo.exehj
1 File(s) 0 bytes
0 Dir(s) 5,177,344 bytes free

See that - the short file name of "foo.exehj" is "FOO~1.EXE", so (thanks to
the creation of a backwards-compatible "8.3" name) foo.exehj is also
FOO~1.EXE, and will run as an EXE.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.



Similar ThreadsPosted
Running program files on XP with non-executable extensions? November 2, 2005, 4:46 am
Re: Running program files on XP with non-executable extensions? November 2, 2005, 8:18 am
Re: Running program files on XP with non-executable extensions? November 2, 2005, 10:43 am
Re: Running program files on XP with non-executable extensions? November 2, 2005, 11:30 am
Re: Running program files on XP with non-executable extensions? November 2, 2005, 12:37 pm
RE: Running program files on XP with non-executable extensions? November 2, 2005, 2:43 pm
Re: Running program files on XP with non-executable extensions? November 7, 2005, 6:08 am
Has anyone had experience with C:\Program Files\Magahoo!\Clrpro32.Exe November 8, 2005, 3:34 am
backdoor:Win32/Hackdef.L C:\program files\Adobe Help center\Browser\es262-32.dll November 22, 2006, 2:08 pm
Does anyone know how to see if NTLM is running on a web site? December 16, 2005, 10:04 am

The site map in XML format XML site map

Contact Us | Privacy Policy