Running program files on XP with non-executable extension?

Running program files on XP with non-executable extension?

Post by JS » Thu, 03 Nov 2005 18:48:50


I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop my XP Pro from running it if I double
clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
me about it again. Even with the dummy extension letters! Surely
such a program file is now safe enough?

I found that if I add the random letters *before* the EXE then
AntiVir PE's guard does not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE'? Or is this being done
because of something in XP Pro which might truncate the letters in
a file's extension after the first three letters?
 
 
 

Running program files on XP with non-executable extension?

Post by James Ega » Thu, 03 Nov 2005 20:33:13

On Wed, 02 Nov 2005 09:48:50 GMT, JS < XXXX@XXXXX.COM >



Not always.

As an example you might try renaming a MS Word .doc file to (say) .hje
or some other extension which doesn't have a specific association with
another program and then double clicking it. You will see that it
still opens in Word because the file structure is still recognised as
a word document even though you renamed it.


Jim.

 
 
 

Running program files on XP with non-executable extension?

Post by James Ega » Fri, 04 Nov 2005 01:34:17

On 2 Nov 2005 06:59:31 -0800, "Dustin Cook"



Hmm. I wonder why that is?

Which version of MS Word did you use? With Word 2000 it opens
correctly (with a wrong extension) on both win9x and winxp.

Incidentally, Bart Bailey posted a registry hack (see below) to get
all unassociated extensions to open with notepad.


Jim.


Newsgroups: alt.comp.anti-virus
Subject: Re: Wirtualna Polska's antivirus program??
From: Bart Bailey < XXXX@XXXXX.COM >
Date: Thu, 31 Jul 2003 18:27:17 -0700

In Message-ID:< XXXX@XXXXX.COM > posted on



OK, I got to poking around in my registry found it.
I think this will work if you merge it:

---begin---
REGEDIT4

[HKEY_CLASSES_ROOT\Unknown]
"AlwaysShowExt"=""

[HKEY_CLASSES_ROOT\Unknown\shell]

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad]
@="&Notepad"

[HKEY_CLASSES_ROOT\Unknown\shell\Notepad\Command]
@="notepad.exe %1"

---end---
be sure to leave a blank line at the bottom,
create an extensionless file an try it.

Bart
 
 
 

Running program files on XP with non-executable extension?

Post by bughunter. » Fri, 04 Nov 2005 01:42:10


I might have applied a registry tweak some time ago when I hardened the
box. Autorun is disabled as well.

Essentially, if I click on a file to open that windows doesn't know the
extension of, it asks what to do with it. I'm pretty sure its a
registry key I changed.


Word 2000. The later versions are too much like an html editor to me.

Regards,
Dustin Cook
http://www.yqcomputer.com/
 
 
 

Running program files on XP with non-executable extension?

Post by Norman L. » Fri, 04 Nov 2005 02:04:19


The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

--
Norman De Forest http://www.yqcomputer.com/ ~af380/Profile.html
"> Is there anything Spamazon DOESN'T sell?
Clues. The market's too small to justify the effort."
-- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005
 
 
 

Running program files on XP with non-executable extension?

Post by Dustin Coo » Fri, 04 Nov 2005 03:19:51


Bingo. :) I changed the extension.. like I thought the poster did. But
I did it thru console, not explorer... So the extension really is
something windows doesn't know what to do with. heh.
 
 
 

Running program files on XP with non-executable extension?

Post by gp » Fri, 04 Nov 2005 09:53:33


warned
Surely
in
and
or
short
"BLUESKY.HJE"
But
Seem to recall there is a "featrue" in NT such that by default it only
considers the first 3 characters of a file extension as significant,
although there is a registry change that can turn this off and take
all characters into consideration.

Sorry, can't remember what it is.
 
 
 

Running program files on XP with non-executable extension?

Post by Poster 6 » Fri, 04 Nov 2005 11:12:56


This is what an anti-virus program will do if you choose to rename
the file to keep it for observation purposes. If you add a "v" in front
of the exe extension, it is no longer read as an executable. You will
also notice the icon of the file changes.
You could also rename it by a second extension after the exe - exe.abc




The executable is disabled but it is still a malicious file. It can
be reactivated by changing the extension back to exe.
 
 
 

Running program files on XP with non-executable extension?

Post by Leytho » Fri, 04 Nov 2005 11:38:57

In article < XXXX@XXXXX.COM >, XXXX@XXXXX.COM says...

Not true, that's what SOME Av products will do if you rename the file.
We have our AV software set to scan EVERY file on access, except the
database and exchange store files (as defined by MS and the Av
provider), but if you were to rename myvirus.exe to myvirus.txt, it
would still be detected as a virus.

Good settings for any AV product would be to scan all files accessed.

--

XXXX@XXXXX.COM
remove 999 in order to email me
 
 
 

Running program files on XP with non-executable extension?

Post by Poster 6 » Fri, 04 Nov 2005 16:46:34


Then those that don't do it that way probably use the double extension
method. I know of a program that uses this method, but in both cases the
file is disabled so no program can open it.



The AV program I use gives the renaming option of a malicious file
found by placing one letter in front of the exe to disable it, but does
not rename it as a file that can be executed such as txt in your
example. The purpose of renaming a malicious file is to disable it, so
no program can open it.

In a corporate environment, I would agree.
 
 
 

Running program files on XP with non-executable extension?

Post by Dustin Coo » Sat, 05 Nov 2005 01:05:52


It's actually harder to accidently flag a good exe as a bad one, then
it would be to accidently hueristically determine some .txt file is a
virus. This isn't from personal opinion, thats a stated fact in the
antivirus industry. While I appreciate improvements have been made, the
underlying principles of how a virus scanner works has not changed much
in the last few years.

For example, frisk; maker of f-prot, has an option on the dos scanner
to indeed, scan all files. This is settable via the "/dumb" switch. He
named it dumb, because scanning all files on a hard disk, even ones
that cannot possibly contain executable code, is a dumb thing to do.

As I said, I've been in the vx side for many years. I'm well versed on
both aspects of it, from antivirus perspective as well as vx
perspective. I'm not giving my opinion per say, I'm giving that of the
general consensus of both the Av and Vx side of things.

Regards,
Dustin Cook