The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University Improving Security
CERT® Coordination Center

 Home | What's New | FAQ | Site Contents | Contact Us | SEARCH

About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education


CERT® Incident Note IN-2000-07

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Exploitation of Hidden File Extensions

Updated: Thursday, July 27, 2000
Date: Monday, June 19, 2000

Overview

There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.

Description

Multiple email-borne viruses are known to exploit the fact that Microsoft Windows operating systems hide certain file extensions. The first major attack incorporating an element of file extension obfuscation was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes.

  • Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
  • VBS/Timofonica (TIMOFONICA.TXT.vbs)
  • VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable. For further information about these specific viruses, please visit the sites listed on our Computer Virus Resource page.

Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. After disabling this option, there are still some file extensions that, by default, will continue to remain hidden from the user.

There is a registry value which, if set, will cause Windows to hide certain file extensions regardless of user configuration choices elsewhere in the operating system. The "NeverShowExt" registry value is used to hide the extensions for basic Windows file types. For example, the ".LNK" extension associated with Windows shortcuts remains hidden even after a user has turned off the option to hide extensions.

We have seen attacks which leverage file extensions that are, by default, hidden using the "NeverShowExt" registry value. One such extension, ".SHS", is associated with Shell Scrap Object files. SHS files are typically associated with OLE objects and can include executable contents. Reports indicate that SHS files are being used to distribute malicious code in email attachments. One recent example is a malicious VBScript program wrapped in a Shell Scrap Object file that is sent as an email file attachment named "LIFE_STAGES.TXT.SHS".

Impact

Users can be tricked into opening a file that appears to be something it is not. A file that appears to be innocent based on it's viewable file name may contain malicious executable code.

Solutions

In an environment where file types are mapped to functionality by the extension used in the file name, it is important for the user to know the complete and unobfuscated file name in the course of making informed decisions impacting security.

The CERT/CC encourages sites to evaluate the following suggested steps against security and usability policies at your site. To configure Windows operating systems to display entire and complete file names for all files to the user:

  • Configure Windows to show all files and extensions

    • Windows 9x and Windows NT 4.0:

    • Open the Windows Start menu
    • Select "Settings -> Control Panel" to open the control panel
    • From the "View" menu, select "Options..."
    • Click on the "View" tab
    • Insure "Hide files of these types" and "Hide file extensions for known file types" are both unchecked
    • Insure "Show all files" is selected
    • Click "OK" to complete the changes

    Windows 2000:

    • Open the Windows Start menu
    • Select "Settings -> Control Panel" to open the control panel
    • From the "Tools" menu, select "Folder options"
    • Click on the "View" tab
    • Under "Hidden files and folders", insure "Show hidden files and folders" is selected
    • Insure "Hide file extensions for known file types" is unchecked
    • Insure "Hide protected operating system files" is unchecked. Note, Windows 2000 will display a dialog asking for confirmation. Be sure to read and understand the information contained in the dialog and then click on "Yes".
    • Click "OK" to complete the changes

  • Remove all occurrences of the value "NeverShowExt" from the registry

    • Open the Windows Start menu
    • Select "Run" and enter "regedit" to open the registry editor
    • From the "Edit" menu, select "Find"
    • Uncheck the "Keys" and "Data" entries under "Look at", and insure the "Values" entry is checked
    • Enter "NeverShowExt" in the "Find What" box and click "Find Next"
    • When a value is found, right click on the value name and select "Delete"
    • Press F3 to find the next occurrence of "NeverShowExt".
    • Repeat the previous two steps until all occurrences of "NeverShowExt" have been deleted from the registry
    • The computer will need to be rebooted for changes to take effect

Authors: Brian King, Kevin Houle

This document is available from: http://www.cert.org/incident_notes/IN-2000-07.html

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to [email protected]. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.