siliconman01
Global Moderator
Trojans! Chew 'em Up, Spit 'em Out...
Gender: 
Posts: 5466
|
 |
Is a Double Extension Dangerous ?
« on: Jan 26th, 2006, 5:41am » |
|
When running TrojanHunter Scanner, files may be reported/alerted as having a double extension. Should the user be concerned about this alert?
The short answer is "yes". The long answer is a bit more complicated.
Techweb defines a double extension as:
"A way to trick users into opening a virus. Many people have learned that text files (.TXT) and image files (.GIF, .JPG, etc.) are safe to launch because they are data and not executable software. They have learned to be leary of .EXE, .VBS and other extensions that are executed immediately. Thus, virus writers try to trick more people using double extensions, so "I LOVE YOU.TXT.vbs" is really not a .TXT file, but a .vbs file, a Visual Basic Script that is executed immediately."
The confusing element in responding to TrojanHunter's alert centers around the user's understanding of what an extension is. Extension in computer jargon basically equates to file type. The allowed extensions (file types) on the user's computer can be displayed by opening Folder Options in the control panel. Select the File Types tab. This tab displays all the allowed/registered file types or extensions allocated for the user's Windows Operating System. Examples: .txt .doc .vbs .jpg, etc.
Unfortunately, programmers (including the Microsoft group) complicate this threat potential by naming a file or program such that it causes TrojanHunter and other security programs to detect them as having a double extension. When TrojanHunter finds a file that has two or more periods in the name string, it flags the file as having a double extension. For example, a file that is named "IBeNiceV1.2.jpg" or "Really.MeToo.doc" will be flagged as having a double extension. In these examples, ".2" & ".jpg", and ".MeToo" & ".doc" are a possible extension pair or double extension.
TrojanHunter does not determine if an extension is a valid file type on the user's system. It merely reports that it found a file(s) with two or more periods grouped such that it looks like a double extension.
How does the user determine whether the TrojanHunter alert is flagging a potentially malicous file?
1. Examine the name of the file and the alphanumeric found after each of the right most periods in the name. If they are not both valid file types as shown in Folder Options-File Types tab, then the file creator (programmer) has named the file with a period as part of the file name. (Example: ThisFile.Revised.txt, Revised is part of the name, not an extension or allowed file type.)
2. Google the entire file name with the extension included to see if the file is discussed on various web pages and is a non-malicious file. For example, the file System.XML.dll is a Microsoft issued file for Windows XP. The file looks possibly malicious because .XML and .dll are both valid extensions or file types. A Google search shows that this specific file is a valid non-malicious file referred to in several web pages and on the primary Microsoft site.
3. Over time, become familiar with the names of the files that are always alerted as double extension files when using TrojanHunter scanner. If a new file subsequently is found/alerted, investigate the new file as per 1 and 2.
NOTE:
A. If a file is being "alerted" by TrojanHunter and it cannot be located on the user system, it is probable that the user system is configured to Windows default settings. Windows is not allowing the user to display hidden files and folders and/or known file type extensions and/or protected system files. These default settings can be changed through the control panel utility Folder Options-View tab.
B. It is often reported as "annoying" to see the same double extension alerts each time TrojanHunter scanner is used. There is an option in TrojanHunter under the Options icon that permits the user to turn off logging for double extensions. TrojanHunter continues to scan the affected files, testing them for malicious elements.
C. TechWeb reference: http://www.techweb.com/encyclopedia/defineterm.jhtml?term=doubleextensio n
Applies to all versions of TrojanHunter.
|
Mischel Internet Security Forum
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register