Running program files on XP with non-executable extensions?

Running program files on XP with non-executable extensions?

Post by JS » Thu, 03 Nov 2005 18:46:48


I downloaded a file (let's call it BLUESKY.EXE) which my anti-
virus guard says may be a virus.

I wanted to get more info about this file, so I disabled it by
adding a couple of random letters to the extension.

I renamed BLUESKY.EXE to BLUESKY.EXEHJ.

I figured this would stop XP from running it if I double clicked
it in error. But my antivirus guard 'AntiVir PE' warned me about
it again. Even with the dummy extension letters. Surely such a
program file is now safe enough?

I found that if I put the random letters *before* the EXE then
'AntiVir PE' did not detect it as a virus.

So BLUESKY.HJEXE is ok according to 'AntiVir PE'.

Is this just an oddity in 'AntiVir PE' or is this being done
because of something in my XP Pro which might truncate the letters
in a file's extension after the first three letters?



--

MS security groups:
microsoft.public.security
microsoft.public.security.virus
microsoft.public.windowsxp.security_admin
 
 
 

Running program files on XP with non-executable extensions?

Post by Anonymou » Thu, 03 Nov 2005 20:38:05


This is an oddity with the anti-virus guard as far as I think.
The file should not get executed if the extension is changed.

!Anonymous!

 
 
 

Running program files on XP with non-executable extensions?

Post by David H. L » Thu, 03 Nov 2005 22:18:45

From: "JS" < XXXX@XXXXX.COM >

| I downloaded a file (let's call it BLUESKY.EXE) which my anti-
| virus guard says may be a virus.
|
| I wanted to get more info about this file, so I disabled it by
| adding a couple of random letters to the extension.
|
| I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
|
| I figured this would stop XP from running it if I double clicked
| it in error. But my antivirus guard 'AntiVir PE' warned me about
| it again. Even with the dummy extension letters. Surely such a
| program file is now safe enough?
|
| --
|
| I found that if I put the random letters *before* the EXE then
| 'AntiVir PE' did not detect it as a virus.
|
| So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
|
| Is this just an oddity in 'AntiVir PE' or is this being done
| because of something in my XP Pro which might truncate the letters
| in a file's extension after the first three letters?
|

Please submit a sample of "BLUESKY.EXE" to Virus Total --
( or the renamed file )
http://www.yqcomputer.com/
The submission will then be tested against 18 different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.


--
Dave
http://www.yqcomputer.com/
http://www.yqcomputer.com/
 
 
 

Running program files on XP with non-executable extensions?

Post by Scherbina » Fri, 04 Nov 2005 00:43:07

When you change file's extension it's contense is not changed, *and* its
still a virus.
 
 
 

Running program files on XP with non-executable extensions?

Post by Steven L U » Fri, 04 Nov 2005 01:30:22

That is a dangerous game to play. If you want to protect the computer then
use Software Restriction Policy to create a path rule to the folder where
you keep such files with a disallowed security level and a hash rule for
that file for disallowed. If you want to see what suspicious files will do
and have a spare computer or a removable hard drive tray then use a test
setup of the operating system that you have an image for to run the file.
That way you can always restore the image when done to insure you are back
to baseline. Registry snapshot programs are helpful in seeing what is being
done to an operating system when exploring such and free tools such as
filemon from SysInternals are helpful also. --- Steve
 
 
 

Running program files on XP with non-executable extensions?

Post by NP » Fri, 04 Nov 2005 02:37:36

JS" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


Windows may only recognize and use the FIRST 3 characters after the LAST
period character (".") in a filename to match against a filetype
association. So, for example, renaming a file from BLUESKY.EXE to
BLUESKY.EXE_OLD or BLUESKY.EXEVIRUSINFECTED won't work to prevent
"accidental" double-clicks or executes of the file. Instead rename it to
BLUESKY.EXE.OLD, BLUESKY.EXE.TXT, BLUESKY.OLD, BLUESKY.OLDEXE, BLUESKY.EXX,
or BLUESKY.TXT.

A virally infected file is still a virally infected file regardless of
whatever filename and extension you use. It wouldn't matter if the file
were renamed to REDDAWN_BADFILE (with no extension) or KILLINGME.SOFTLY.
The filename has nothing to do with the content of the file. If it was
infected, it will still be infected after a rename.

If AntiVir warns you that a file is infected when it had an .exe extension
and then says it is okay when you rename it (to anything) would mean AntiVir
is a worthless anti-virus product. While it doesn't provide great coverage
(94% on average, which isn't great, and only 76% for Windows viruses; see
http://www.av-comparatives.org), I really doubt that it gives a gnat's fart
about the file's name and that it instead interrogates the *content* of the
file to detemine if infected or not.

By the way, the sigdash ("-- ") marks your SIGNATURE, not some further
update information section. In your case, the trailing space was missing
but some newsreaders don't require it. It is not an RFC-defined standard
but a de facto standard, and it denotes that what follows is your signature.
Some newsreaders can be configure to ignore signatures (and not display
them), and most will strip out signatures from replies (so a portion of your
post will be lost). Although "News-Agent: OE 6.00.2800" is in your headers,
that is not a header added by Outlook Express (i.e., it is a lie). It is
not even a valid header, nor is it an X-header (meaning a non-standard
header meaningful usually only to the NNTP client or server that added it).
My guess is that you posted in a forum and your forum uses an NNTP gateway
to repost to Usenet. But it also means your forum admin is adding an
invalid and fraudulent header, and that it is not also identifying that the
original post came through a forum's NNTP gateway.

--
_________________________________________________
| ** Reply to the newsgroup. Share with others ** |
| E-mail: Remove "NIX" and add "#LAH" to Subject. |
|_________________________________________________|


 
 
 

Running program files on XP with non-executable extensions?

Post by YWJkdWxyN2 » Fri, 04 Nov 2005 04:43:10


 
 
 

Running program files on XP with non-executable extensions?

Post by Mark Randa » Tue, 08 Nov 2005 20:08:09

Right Click > Properties > Security > Uncheck Execute for everyone >> Apply

Play to your hearts content.

--
- Mark Randall
http://www.yqcomputer.com/

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov
 
 
 

Running program files on XP with non-executable extensions?

Post by Anonymou » Tue, 08 Nov 2005 23:40:24


I cannot understand what do you mean where to right click? I right
clicked on an .exe
file and I did not get any security tab in properties.


I tested a few .exe files on my windows xp system; however, I did not
get them execute after
I renamed the extension in any way whether appending letters at the
end, in beginning, etc.
I cannot understand, how someone said that the file still executes even
if you append characters
to the file extension. Somebody please confirm this.

However, the only exception is of some system files in /windows and
/windows/system32 folders.
For example, if you rename notepad.exe to something else, and then try
to run notepad, windows
will regenerate the file again named as notepad.exe.

Notwithstanding above, I agree that a virus *is* a virus even if
renamed, moved to recycle bin, etc.

Thanks in advance
 
 
 

Running program files on XP with non-executable extensions?

Post by Mark Randa » Wed, 09 Nov 2005 20:04:18

You need to have advanced file permissions enabled.

If you are screwing about with viruses presumably you are running on a Pro
version of an OS.

--
- Mark Randall
http://www.yqcomputer.com/

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov
 
 
 

Running program files on XP with non-executable extensions?

Post by Dustin Coo » Sat, 27 Jan 2007 15:03:34


66.250.146.159:


Ehm... You really can't trust this with windows. I know for sure via
console filename isn't important, it can still be executed. I know if you
set it via a registry run key it will execute fine, regardless of named
extension. To ehh, be safe, don't double click on them. Treat them as
live rounds.. :)

AntiVir PE is going by filename extension to determine if it should scan
the file. A decision on it's programmers part. One I disagree with, for
reasons like you found. :)


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.1
web: http://www.yqcomputer.com/
email: XXXX@XXXXX.COM
Last updated: January 25th, 2007
 
 
 

Running program files on XP with non-executable extensions?

Post by Dustin Coo » Sat, 27 Jan 2007 15:06:38

"Mark Randall" <mark[__OKTHISISFAKE_] XXXX@XXXXX.COM >



Better to play in vmware... if this is the case... :)


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.1
web: http://www.yqcomputer.com/
email: XXXX@XXXXX.COM
Last updated: January 25th, 2007
 
 
 

Running program files on XP with non-executable extensions?

Post by SmVzcGV » Sun, 28 Jan 2007 01:06:02

IE does MIME snooping as well. It looks at the first few bytes of a file to
determine what type it really is. If the file header starts with MZ it is a
pretty sure bet it is a PE image file. This can be disabled on Windows Vista,
but I don't think it can on XP.

BTW, if your AV program can't detect a virus that has had its extension
modified with just two letters on the front I would consider a new AV program.
 
 
 

Running program files on XP with non-executable extensions?

Post by Roger Abel » Mon, 29 Jan 2007 03:45:00

For IE there is a setting in the security options (not sure when
this showed up, perhaps IE6 SP1) named
Misc\Open files based on content, not file extension
Of course it does not impact the Explorer behaviors of post
(save perhaps if file had been downloaded?).

Roger
 
 
 

Running program files on XP with non-executable extensions?

Post by Alun Jones » Wed, 31 Jan 2007 13:43:04


You're thinking too hard.

The reason the AV program sees this as an EXE is that it is still an EXE:

C:\Temp>copy nul foo.exehj
1 file(s) copied.

C:\Temp>dir /x foo*
Volume in drive C has no label.
Volume Serial Number is ACBD-3ABF

Directory of C:\Temp

01/29/2007 08:26 PM 0 FOO~1.EXE foo.exehj
1 File(s) 0 bytes
0 Dir(s) 5,177,344 bytes free

See that - the short file name of "foo.exehj" is "FOO~1.EXE", so (thanks to
the creation of a backwards-compatible "8.3" name) foo.exehj is also
FOO~1.EXE, and will run as an EXE.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.yqcomputer.com/
23921 57th Ave SE | Blog: http://www.yqcomputer.com/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.