CYBER EYE

File extensions can hide much more than meets the user's eye

William Jackson

It's getting more and more difficult to stop malicious e-mail attachments as virus authors and their repackagers learn to hide dead-giveaway file extensions.

After the ILOVEYOU and other recent virus and worm scares, most users know they should check file extensions of e-mail attachments and be cautious about clicking on any kind of executable file, especially unsolicited ones.

But Microsoft Windows' default settings hide some extensions such as .vbs and .shs. A harmless-looking .txt embedded in the filename immediately before such a hidden extension can sneak in a virus masquerading as an innocent text file.

This was the technique used several weeks ago by the life_stages.txt.shs virus to hide a shell scrap object associated with Microsoft's Object Linking and Embedding technology. In this case, the scrap contained malicious Visual Basic Script code.

Microsoft has tried to simplify the user interface by hiding some special-use extensions. But as the Internet'and life'grow more complex, simpler is not always better. Better to have a little more clutter in the window and be a little safer.

The CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute recently published instructions for configuring Windows to show all extensions. You can make a start simply by turning off options in Windows' Control Panel for hiding extensions. Some extensions associated with Windows shortcuts, such as .shs and .lnk, remain hidden until the NeverShowExt registry value is removed, however. This takes a little more work.

To change the option on Windows 9x and NT 4.0 systems, select Settings and Control Panel under the Start menu, then go to Folder Options under the View menu and click on the View tab. Deselect 'Hide files of these types' and 'Hide file extensions for known file types.' You can also select 'Show all files' and then click OK to save the changes.

In Windows 2000, go to the Tools menu on the Control Panel and click on the View tab under Folder Options. Under 'Hidden files and folders,' select 'Show hidden files and folders' and uncheck 'Hide file extensions for known file types.'

You can also uncheck 'Hide protected operating system files,' but CERT advises that you carefully read information in the dialog box to confirm the selection.

Before making any of these changes, see whether they conform to your organization's security and other policies.

To change the Windows Registry to ensure that all extensions are shown, type 'regedit' under Run in the Start menu, and do a search for 'NeverShowExt.' Whenever this value is found, right-click on it and select Delete, then continue the search. You must reboot before the changes take effect.

For more detailed instructions, see CERT Incident Note IN-2000-07 on the Web at www.cert.org/incident_notes/IN-2000-07.html.

Remember that these changes only make the extensions visible. Users still must show good judgment about opening attachments and, it goes without saying, should keep their antivirus software and other defenses up to date.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group