The Importance of File Extensions|
Commentary by Thomas R. Pasawicz (aka DiamondBack)
August 16, 2001
Often in the writings on my website I comment that a virus can't be spread from "opening an e-mail." While technically this should be true, "innovations" in e-mail client software have blurred the distinction between what's an e-mail (a simple text file) and documents containing executable program code. The key to understanding the difference, and recognizing a potentially harmful file, is to be able to distinguish between "programs" and "data."
Programs are a list of instructions that direct a computer to perform specified tasks. Games, browsers, e-mail clients, etc. are all programs that allow you to perform useful tasks with your computer. Data is information that is used by programs, for example the words on this webpage is data, the browser you are using to display them is a program. The information contained in a JPG photo file is data, the viewer you use to display the photo is a program. Generally speaking, data is harmless since it can't "do anything" by itself. In contrast, programs can be very harmful if they contain instructions that direct your computer to do something you normally wouldn't want it to do, such as delete all the files on your hard drive. Since sharing files is a common practice among Internet users, being able to tell the difference between a harmless data file and a potentially harmful program file is critical to maintaining the "health" of your computer and its operating system.
Since "Windows" is the most common operating system in use today, this article will use examples based on that system. While these examples are applicable to most operating systems (MacOS, Linux, etc.), the specifics are intended for Windows users.
Windows uses a "file extension" to determine what to do with a particular file type. Usually the file extension consists of two, three or four characters following a period. For example, in the file "mystory.txt", the "mystory" is the name of the file and the ".txt" is the file extension which tells Windows that the file (should) contains data in the form of ASCII text. The file type indicated by the extension can then be "associated" with a program that knows how to handle the data contained within it. In this case, a text file (.txt) may be associated with a text editing/display program such as NotePad, Write or MS Word. If "mystory.txt" is clicked on, the program associated with ".txt" files will be launched and the data in the file displayed. Another example might be "myphoto.jpg". In this case, ".jpg" is a common extension for a JPEG (Joint Photographers Expert Group) type file which contains data that represents a photograph or similar image. Clicking on "myphoto.jpg" should launch an associated program for viewing this type of data, on my system that would be CompuPic, on others it may be Internet Explorer or MS Paint. Any program capable of reading the data in a particular file may be associated with that file type via the file's extension.
As previously mentioned, some files are not strictly data but contain instructions which the computer is expected to execute. In the above example, if "mystory.txt" is associated with NotePad, then the file "notepad.exe" will be launched to display the contents of "mystory.txt". Windows knows that ".exe" denotes an executable program file and will follow the instructions contained in such files. While ".exe" is the most common executable file extension, it is far from the only one. Some of the most common executable file types are:
.exe - Executable files, typically an application program.
.com - MS-DOS "command" file
.bat - Batch file
.vb or .vbs - Visual BASIC file
.scr - Screen Saver
Some files don't directly execute, but can make changes to your system registry which controls how your computer behaves. Two common ones are:
.inf - Setup Information
.reg - Registration entires
You should also watch out for files that may link (aka "shortcut") to an executable file, such as .lnk or .pif. While the shortcut/link isn't executable, it may point to a file which is.
Woah! Who can remember all those? (Not me, that's for sure.) And even this isn't a complete list (by far), new file types can be introduced with each new program you install on your system. A better approach to take regarding file extensions is if you don't recognize what kind of file it is, then don't mess around with it. If instead you decide "let's just click on it and see what happens" you are asking for trouble... big trouble!
Likewise, it would be nearly impossible to list all the "safe" file types, though under normal circumstances the following very common file types are of the "data" variety and shouldn't pose a threat:
.txt - ASCII text file
.jpg or .jpeg - photo format
.gif or .png or .bmp - image formats
.mpg or .avi or .qt - movie formats
.wav or .mp3 - sound formats
Another common format used for exchanging text documents is ".doc", usually associated with MS Word. A document should be just that, a file containing information, ie. data. But Microsoft decided that it would be a great idea if documents could also contain small program scripts called "macros." This was done to make the documents more "powerful" and they succeeded... powerful "macro viruses" may be embedded in MS Word documents which can infect other MS Word documents and destroy the (often important) data contained in them. And since these "macro viruses" can automatically attach themselves to other MS Word docs, they can easily be spread to other MS Word users when exchanging .doc files. Thank you, Microsoft, for taking a harmless formatted text document and giving it the ability to wipeout entire directories of important MS Word files while spreading to other systems... the malicious programmers who create these "macro viruses" couldn't have done it without you. My advice is don't use MS Word... you can still view .doc files using MS Write or using the MS Word Viewer, neither of which will execute any macros (AFAIK). Or you could disable the macro function in MS Word (and Excel while you're at it). Personally, I don't see any legitimate use for them 99.9% of the time anyway.
One of the most infamous macro viruses was W97.Melissa.A... better known simply as the Melissa Virus. This nasty little bugger would hide in MS Word docs and upon the document's opening would mail up to 50 copies of itself using Microsoft Outlook. The subject of the e-mail would be "Important Message From USERNAME", where USERNAME is taken from the MS Word setting. This clever little script even kept track of who it had e-mailed itself to from each infected system, so as not to send multiple e-mails to the same people and arouse suspicion. It would also infect other MS Word docs using the "normal" method of infection, so it could be spread even if Outlook couldn't be found. Its "payload"... ie. the code meant to "detonate" (execute) after it had time to spread, would append the following text to infected Word docs: "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." Fairly harmless compared to what it could have done.
One example of a VBS e-mail virus (technically a "worm") is the VBS.KAKWORM. Kakworm exploited some vulnerabilities in MS Internet Explorer and MS Outlook Express (where have I heard that before?). Kakworm hid its VBScript in the e-mail message's HTML signature and dropped KAK.HTA file into the Windows start-up folder. After that, each time an MS Outlook user sent an e-mail, Kakworm would attach itself to the HTML signature, quickly spreading among the "Typhoid Marys" of the Internet... MS Outlook users. I received it a number of times, fortunately I use Eudora, which merely displayed the VBS code rather than executing it (I don't want my e-mail client executing ANYTHING without my express permission).
Another infamous example is the "Love Letter Worm"... a VBScript that could spread itself not only though e-mail (or more accurately, through MS Outlook), but also Internet Relay Chat (using mIRC), USENET News or shared files. Being so versitile, this worm spread far and wide, shutting down e-mail servers and clogging corporate networks. When spread via e-mail, it would send copies of itself through Outlook with the subject "ILOVEYOU" and the body message "kindly check the attached LOVELETTER coming from me." The "loveletter" was a VBScript by the name of "LOVE-LETTER-FOR-YOU.TXT.VBS"... anyone careless enough to open the attached love letter would run the script, infecting their computer and possibly helping it spread. It would seek out and replace exiting vbs and vbe files with a copy of itself. Files with js, jse, css, wsh, sct, or hta extensions would have their code replaced and the extension changed to .vbs (eg. "website.css" would be replaced with a copy of the worm code in a file called "website.vbs"). Any jpg, jpeg, mp2 or mp3 files would be replaced by the worm and have ".vbs" appended to their file name. If nothing else, many important existing files could be trashed... replaced by this missile of love.
It's impossible to determine how much damage (not to mention embarrassment) Melissa, Kakworm and Love Letter have caused. They have probably inflected thousands, if not millions, of computers and may return again in various forms as new flaws in MS products are uncovered. In fairness, I can't place all the blame on Microsoft, other products such as Netscape and Eudora are starting to follow in Microsoft's footsteps, making increased use of scripting and other "enhancements" to attract users accustomed to Microsoft's bloatware. I strongly suggest that you turn off or disable these "features" whenever you can, they just aren't worth the risks they carry. E-mail and Newsgroups are wonderful tools for exchanging information... simple text and maybe an occasional graphic, but there is no need to expose your computer, network or the entire Internet to executable code that can wreak havoc.
Getting back to file extensions, it doesn't do you any good to know what to look for if you can't see it. In arguably one of Microsoft's most boneheaded decisions, they ship Windows configured to "hide" certain files and "known" file extensions. The idea was to make viewing file directories less cluttered and confusing... it was stupid idea. A "known" file is any file that has been associated with an application, which would be most of the common files on your system such as .txt or .jpg. It also hides .exe and .com extensions, making a .txt file indistinguishable from an executable file, aside from the icon displayed (these can be faked). It can also be very misleading, a file with the name "myphoto.jpg.exe" (an executable program) would appear as "myphoto.jpg" with the real extension (.exe) hidden. What in the world were they thinking when they gave the approval for this "feature?" Aside from not showing much respect for their user's intelligence (and desire to be able to see what kind of files they have on their system), they gave malicious program writers a huge edge when trying to sneak their evil wares onto an unsuspecting user's computer.
But enough Microsoft bashing (for now), here's how to disable the file and extension hiding: Run MS Desktop Explorer or the Control Panel from the Start/Settings button. Click on the "View" dropdown menu and select "Folder Options...". In the window that opens, click on the "View" tab and you should see a box with a "tree view" of options that can be checked or unchecked. Both of the settings you want are in the "Files and Folders" branch. Under "Hidden files" click on "Show all files" then make sure to uncheck the box next to "Hide file extensions for known file types". To complete the process, click the Apply button. There, you just improved the security of your system by about 150%, provided you familiarize yourself with the file extensions we've been taking about (now that you can actually see them).
Which brings us to W32.Sircam.Worm@mm... or SirCam for short. In the past few weeks I've received 202 e-mails sent from SirCam infected computers, more than any other virus/worm/trojan to date. SirCam is very clever and rather mean, a combination that is going to hurt a lot of people. SirCam arrives as a very personally looking e-mail with a file attachment. There are several different body messages and it is even bilingual... either English or Spanish depending on the language it detects on the host system. In English, the message will begin with "Hi! How are you?" followed by one of the following:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The last line is "See you later. Thanks". Without further thought, many people then open the attached file, and SirCam goes to work on their system. First it creates copies of itself in two locations, then it makes a copy of the file it was masquerading as to be opened normally. IOWs, if SirCam arrived as a MS Word file, then MS Word would open an display a file. SirCam can also pretend to be an Excel (.xls) or Zip file... either of which will appear to open normally. At this point the victim might wonder why this file was sent to them, perhaps replying with the requested "advice" or just closing and ignoring it. SirCam however is now getting the victim's name and e-mail address from the system registry, and making a list of the files in the "My Documents" directory. One of these files will be selected and SirCam will attach itself to a copy of the file. Next SirCam searches for any .wab (Windows Address Book) files, such as those used by Outlook to store e-mail addresses (it will also check a few other locations likely to have e-mail addresses, it's a very hardworking worm). Armed with all the e-mail addresses it could find and a newly infected file to send, SirCam uses its own SMTP engine (ie. built-in e-mail sending program) to send out messages with attachments to a new group of potential victims, with the subject of the message being the name of the file it found.
What makes SirCam clever is the way it searches the My Documents directory for a file to infect and send. Since most Microsoft programs use this as the default directory to save user created files, the odds are very good it will find a file (Word doc, Excel spreadsheet or Zipped file) created by the user of the system. Where other e-mail worms have used the same subject title, SirCam uses the name of the file it found, hence warnings not to "open an e-mail called..." are useless. Same for warnings not to open an attachment with a certain name, SirCam could pick any file name it finds on the host system. The only change it makes (other than attaching itself) to the file being sent is to the extension... it will append it with one of the following: .bat, .com, .lnk or .pif. Since by default Windows "hides" these "known" file extensions, the file name displayed look may look like a .doc, .xls or .zip. So between the innocent looking extension and the "personal" name of the file, it may really look like a file someone sent for an opinion... and since it displays normally the victim might not have any reason to suspect it wasn't intentionally sent.
Of course the "sender" may never have wanted (or expected) the file to be sent to everyone in their address book, and it could be very embarrassing if the file contained "private" information (look in your "My Documents" directory and see if there is anything in there you wouldn't want to have shared with everyone in your address book *smile*). If that was all SirCam did then I'd say it was a very clever and potentially embarrassing little fellow, but SirCam isn't finished trying to ruin your day. It is "network aware," meaning if you are connected to a LAN (local area network, common in may workplaces) it will begin to spread itself to every other computer on the local net. If that happens on an office network, it's quite likely your employer will frown on this, but you may find other folks in the unemployment line to commiserate with.
SirCam packs a nasty payload which may be detonated in a number of ways. It has a 1 in 20 chance of deleting all files and directories on the C drive. This only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. It always occurs if the attached file contains "FS2" not followed by "sc" (don't ask me why, it just does). There is a 1 in 50 chance it will fill all remaining space on the C drive by adding text to the file c:\recycled\sircam.sys. SirCam also changes settings in the Windows Registry file so it will be executed every time any exe file is run... its payload will detonate after 8,000 executions. Regardless of what triggers the payload, there is a very good chance that SirCam will have had plenty of time to spread before doing anything that may tip-off a victim. SirCam is yet another example of why you want to be able to see (and pay attention to) file extensions... seeing a file attachment called "my_favorite_jokes.doc.com" may just tip you off that something isn't quite right ("Why is my friend sending a Word file with a .com extension? Maybe I'd better ask before I run it.").
Sometimes having the file extensions unhidden isn't enough... Windows 9x and up allows for "long file names"... sometimes so long that the entire file name can't be displayed in Explorer or other application programs. For example, here's a screen capture of a file being received through the popular ICQ program:
Looks like a normal file called "picture.jpg"... doesn't it? But the real name of the file was:
All the spaces after the ".jpg" pushed the real extension, ".exe", so far to the right that it wasn't displayed in the file name box, and there was no indication that the file name extended beyond the limited space provided. This trick has been used many times to slip an executable file into an unsuspecting ICQ user's computer and get them to run it (after the transfer, ICQ gives the option to immediately launch the received file). More often than not, the exe is a "backdoor" program which gives the sender the ability to control the victim's computer... stealing or altering files at will. This has also been the source of widespread speculation that a "jpg" file can contain an executable program... it can't, but an exe can easily be mistaken for a jpg using a method like this. Note that if an exe file has its extension changed to jpg, Windows will usually attempt to display the file in the associated file viewer which will either crash, display a garbled graphic or binary code... but it will not attempt to execute the program code because it is treating it as a jpg, not an executable. Try it yourself... make a copy of a (harmless) exe file, rename it as a jpg and then attempt to view it. If for some reason the renamed exe is actually executed, you need to find a new picture viewer, because the one you have is severely flawed.
It's not just programs like ICQ, Windows can also make it difficult to detect a long file name hiding an extension. Take a look at this screen capture from MS Desktop Explorer:
Notice anything different about myphoto1 and myphoto2? One is a photo of my smiling face, the other is an exe file which upon running will immediately reformat the hard drive (please, no comments on which is the worst fate *g*). The only clue Explorer gives is the "..." under "myphoto1.jpg" which indicates that the file name continues. In this case, if you looked at the entire file name it would reveal the ".exe" at the end of the name. It's easy to miss those eclipses if you're not paying attention, and the price of clicking on that first file is high.
I Don't Know And I Don't Care
There are two "excuses" I often hear from people who have allowed their computers to spread a worm or virus. The first is that they are "new to computers" and didn't know better, the other is that there is "nothing important" on their computer so they aren't concerned about malicious programs. Let's take these one at a time.
Being "new to computers" (or "the Net") is the reason why you should take some time to educate yourself about the risks associated with being connected to a worldwide network. Imaging you were driving down the road and someone came along and slammed into you, destroying your vehicle and possibly injuring you and your passengers. When they are questioned about what happened, they innocently reply that they are "new to driving" and didn't know how to use the brakes. Might you think that they should have damn well learned how to apply the brakes before heading out on the highway where they could pose a threat to other drivers? The point is if you are going to be connected to the "Information Superhighway" (ie. the Internet), then you have a responsibility to learn how to remain in control of your hardware and software. I can understand that when you first get connected there is a whole new, and often strange, world for you to explore... full of confusing acronyms and seemingly incomprehensible terminology. Of course you can't learn it all in one night, and "accidents" will happen. But you can't claim the "newbie defense" forever, so please make a point of learning as much as you can and keeping your system secure. There are many, many websites devoted to security, tailored to all levels of experience and understanding. If one is too complicated for you, move on to the next. And ask questions, everyone you meet on the net was once a newbie... some have learned valuable lessons that they will gladly pass along to you... if you'll take the time to listen.
The other excuse, that there is nothing "important" on someone's computer is pretty lame when you consider how many malicious program use one compromised computer to spread itself to others. Maybe you don't care about the files on your computer, but I certainly care about the files on mine and won't be very sympathetic if both our hard drives get trashed. Another way to look at it, maybe you don't care if you burn down your own house, but if the whole block catches on fire your neighbors are going to come looking for you. If you really don't care about the files on your computer, fine... just pull the plug on your Internet connection so you don't affect anyone else. Otherwise, what you do (or allow to happen) to your computer can affect everyone else, starting with your friends and contacts.
Here's another thought to toss out for consideration. We've all seen those sleazy lawyers who are always looking for a reason to sue someone for negligence... you know, the ones on the late night commercials that ask "Have you or someone you know been injured in a slip and fall accident?" They are correct when they say "negligence is no excuse, you may be entitled to cash damage awards." Just because someone forgot to put out the "Caution slippery when wet" sign and someone else fell down, the "defendant" is often going to pay dearly for their carelessness. Now eventually one of these sleazy lawyers is going to realize that there is a gold mine to be found on the Internet... not from porn sites and mass merchandising, but from suing people and companies who were careless with their computers and caused damage to someone else. I can hear it now... "have you or someone you know lost important data due to a virus sent from someone else's computer? If so, contact the law offices of..." Really, it could happen, and the settlements could be huge if the virus/worm was traced back to a large company with deep pockets... or even to YOU. All the lawyer has to prove was that the "accident" was preventable (they usually are) and that the reason the plaintiff ran the attached file was because they trusted the sender. Never mind that both parties were guilty of the same thing, that's not relevant (maybe the defendant can try to sue the person/company that sent the virus to them). And if I know lawyers, they'll probably try to trace the path the virus/worm took and sue everyone who passed it along. The bottom line is, someone, somewhere, is going to be dragged into court over negligent operation of a computer that resulted in damage to other systems... I'm surprised it hasn't happened already.
*** Blank space left for update with story of sleazy sue-happy cyberlawyer(s). ***
I hope this article has been helpful and given you a better appreciation for the importance of recognizing file extensions. I know it's not a very exciting subject, but neither is reformatting you hard drive and reinstalling all your software. Good luck... and be sure to practice safe hex.