Subject: [NEWS] Latest wave of worms using hidden file extensions Date: Sat, 27 May 2000 14:06:09 +0200 From: support@securiteam.com Latest wave of worms using hidden file extensions -------------------------------------------------------------------------------- SUMMARY Microsoft Windows Explorer allows you to hide or show file extensions at will, allowing the user to see "readme.txt", or just "readme". Many people, in the hope that they won't execute something they shouldn't, turn extension hiding OFF. However, even with extension hiding turned off, file-types can register themselves to force the hiding of their extension. This is certainly not a new vulnerability, but this fact is alarming due to the use e-mail Viruses (or worms) make of this dangerous problem. DETAILS By default, several Windows file extensions are hidden. These include PIF, .SHS, .LNK, .DESKLINK, .URL, and .MAPIMAIL. If a file uses one of these extensions, the user will be unable to tell what the actual extension is. Exploit: A worm can easily call itself readme.txt.pif and send itself around the web. When a Windows user receives the file and opens the file in Explorer (or anywhere else that uses the same file-list control), they will only see "readme.txt". The TYPE of the file will be "Shortcut to MS-DOS Program", as opposed to "Text Document" as a .txt file should be. This however, that is the only visible difference. When the user tries to run readme.txt, instead of opening Notepad (the associated .txt program), Explorer executes readme.txt.pif. PIF files act similar to BAT files, and can get away with virtually anything in DOS, including deleting files, formatting, creating files and so on. A worm is already propagating on the Internet now under the filename off Movie.avi.pif. People receiving this file will see "Movie.avi" if they look at the file in Explorer, and as avi is regarded as "safe" extension most people will run this file without a second thought of their own safety. Going one step further, a PIF worm disguised as a .TXT file could launch Notepad when it is executed, thus making it seem like the .txt file trying to load. The infection occurs in the background, the user has their .txt file on screen in Notepad, and they are none the wiser. Solution: Forced-hidden file extensions are made possible by a registry value "NeverShowExt" (no data). To "unregister" the .PIF file type from being hidden, this value must simply be deleted from HKEY_CLASSES_ROOT\piffile . A registry search of the Data fields for "NeverShowExt" will reveal all file types that have been registered invisible. These should all be deleted. ADDITIONAL INFORMATION The information has been provided by: Wayne Langlois. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.