The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Exploitation of Hidden File Extensions</h2>

Updated: Thursday, July 27, 2000<br/>
Date: Monday, June 19, 2000<p>
<h3>Overview</h3>
<p>
There have been a number of recent malicious programs exploiting the
default behavior of Windows operating systems to hide file extensions
from the user. This behavior can be used to trick users into executing
malicious code by making a file appear to be something it is not.
<p>
<h3>Description</h3>
<p>
Multiple email-borne viruses are known to exploit the fact that
Microsoft Windows operating systems hide certain file extensions. The
first major attack incorporating an element of file extension
obfuscation was the
<a href="http://www.cert.org/advisories/CA-2000-04.html">
VBS/LoveLetter worm</a> which contained an email attachment named
"LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since
incorporated similar naming schemes.
<ul>
<li>Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
<li>VBS/Timofonica (TIMOFONICA.TXT.vbs)
<li>VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
</li></li></li></ul>
The files attached to the email messages sent by these viruses may
appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other
file types when in fact the file is a malicious script or
executable. For further information about these specific viruses,
please visit the sites listed on our <a href="http://www.cert.org/other_sources/viruses.html">Computer Virus
Resource</a> page.
<p>
Windows operating systems contain an option to "Hide file extensions
for known file types". The option is enabled by default, but a user
may choose to disable this option in order to have file extensions
displayed by Windows. After disabling this option, there are still
some file extensions that, by default, will continue to remain hidden
from the user.
<p>
There is a registry value which, if set, will cause Windows to hide
certain file extensions regardless of user configuration choices
elsewhere in the operating system. The "NeverShowExt" registry value
is used to hide the extensions for basic Windows file types. For
example, the ".LNK" extension associated with Windows shortcuts
remains hidden even after a user has turned off the option to hide
extensions.
<p>
We have seen attacks which leverage file extensions that are, by
default, hidden using the "NeverShowExt" registry value. One such
extension, ".SHS", is associated with Shell Scrap Object files. SHS
files are typically associated with OLE objects and can include
executable contents. Reports indicate that SHS files are being used to
distribute malicious code in email attachments. One recent example is
a malicious VBScript program wrapped in a Shell Scrap Object file that
is sent as an email file attachment named "LIFE_STAGES.TXT.SHS".
<p>
<h3>Impact</h3>
<p>
Users can be tricked into opening a file that appears to be something
it is not. A file that appears to be innocent based on it's viewable
file name may contain malicious executable code.
<p>
<h3>Solutions</h3>
<p>
In an environment where file types are mapped to functionality by the
extension used in the file name, it is important for the user to know
the complete and unobfuscated file name in the course of making
informed decisions impacting security.
<p>
The CERT/CC encourages sites to evaluate the following suggested steps
against security and usability policies at your site. To configure
Windows operating systems to display entire and complete file names
for all files to the user:
<p>
<ul>
<li><b>Configure Windows to show all files and extensions</b>
<p>
<b>Windows 9x and Windows NT 4.0:</b>
<ul>
<li>Open the Windows Start menu</li>
<li>Select "Settings -&gt; Control Panel" to open the control panel</li>
<li>From the "View" menu, select "Options..."</li>
<li>Click on the "View" tab</li>
<li>Insure "Hide files of these types" and "Hide file extensions for known file types" are both unchecked</li>
<li>Insure "Show all files" is selected</li>
<li>Click "OK" to complete the changes</li>
</ul>
<p>
<b>Windows 2000:</b>
<ul>
<li>Open the Windows Start menu</li>
<li>Select "Settings -&gt; Control Panel" to open the control panel</li>
<li>From the "Tools" menu, select "Folder options"</li>
<li>Click on the "View" tab</li>
<li>Under "Hidden files and folders", insure "Show hidden files and folders" is selected</li>
<li>Insure "Hide file extensions for known file types" is unchecked</li>
<li>Insure "Hide protected operating system files" is
        unchecked. Note, Windows 2000 will display a dialog asking for
        confirmation. Be sure to read and understand the information
        contained in the dialog and then click on "Yes".</li>
<li>Click "OK" to complete the changes</li>
</ul>
<p>
<li><b>Remove all occurrences of the value "NeverShowExt" from the registry</b>
<p>
<ul>
<li>Open the Windows Start menu</li>
<li>Select "Run" and enter "regedit" to open the registry editor</li>
<li>From the "Edit" menu, select "Find"</li>
<li>Uncheck the "Keys" and "Data" entries under "Look at", and insure
        the "Values" entry is checked</li>
<li>Enter "NeverShowExt" in the "Find What" box and click "Find Next"</li>
<li>When a value is found, right click on the value name and select "Delete"</li>
<li>Press F3 to find the next occurrence of "NeverShowExt". 
    <li>Repeat the previous two steps until all occurrences of "NeverShowExt" 
        have been deleted from the registry</li>
<li>The computer will need to be rebooted for changes to take effect</li>
</li></ul>
</p></li></p></p></p></li></ul>
<p>
<b>Authors</b>: Brian King, Kevin Houle<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2000 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p>