home

Invisible file extensions on Windows
by Floydman


Bachelor in Computer Sciences
[email protected]
May 7th, 2001
Revised and updated August 21 2001

You can distribute this document freely, as long as no changes are made to the file, or as long as someone else does not pretend credit for it. All comments and suggestions about the material presented here should be directed at [email protected]. If future versions of this document include add-ons coming from other people than me, then proper credit to the various authors will be clearly identified. All version updates of this document are to be released by me.

You can find it online at http://www.geocities.com/floydian_99/

Abstract

The goal of this paper is to present the research I made on invisible file extensions on the Windows operating systems. After I published my initial research material on various places on the internet, many people pointed me to bits of information that were already known on this topic, but that I didn't know about. However, the experimentation I made brought this problem on a different angle than the other people's previous work, and somehow complements it. In this paper, I will put together all I found on this topic so far. The ultimate goal is to find a)invisible file extensions, and b)can these invisible file extensions are able to run code, and thus be used to propagate a virus.

Preface

A little while ago, I was having a conversation with some of my colleagues about computer viruses. The "Life Stages" virus was mentionned during the conversation. This virus disguises itself via a file with extension .SHS, while pretending to be a .TXT file. This was possible because the .SHS extension is hidden by Windows, even if it is configured to display all files, all extensions (even for known file types) and the file actually passes fot a (almost) real .TXT file. Following this conversation, I thought to myself "I wonder if there are any other file extensions with this attribute that could potentially be used in a virus design?". This is what I found so far.

Targeted audience

This document is presented to anyone who has interests in computer security, viruses, operating systems and computing in general.

Table of contents

1. Introduction
2. The .SHS file type
3. The NeverShowExt registry key
4. CLSID
5. The ability to execute code
6. Conclusion
Appendix A. The Perl script
Appendix B. The file extensions list

Download whole text file here

Home
Hosted by www.Geocities.ws

1