Never Take Chocolates From Strangers

While working in the IT industry, one comes across many eye-openers. With ecommerce and the internet booming, spams often become the concern of many. Birthday or anniversary wishes, executables, documents, movie files, sound files, messages and virtual cards are among the several attachments that pile up in the personal disks of many apparently assiduous individuals.

Nissan Patrick, systems manager of a leading securities house in Tokyo, had an experience that is eye-opening to all. Patrick recently came across a file that could possibly cause damage or execute viruses on a user’s machine. A friend sends a harmless executable file–a sound file, but embedded in an MS Word 97 document. It requires loading Word and then double-clicking on the embedded file. So the executable in the document embedded in MS Word is selected, copied and pasted on the desktop. Not surprisingly, it shows up as an MS Word ‘scrap’ file. The file extension for scrap files is ‘shs’. For some reason, Windows hides this file extension. So, double-clicking the file named ‘scrap’ on the desktop ran the executable without any problem. When the name and extension of the file are changed, the icon remains the same and the new name appears with the ‘shs’ extension hidden. Then it appears as a harmless image file. However, double-clicking it runs the executable as before. 

But the same process cannot be repeated with a more sinister executable by renaming the file as a ‘txt’ file. The ‘scrap’ icon looks like a text file icon. An unknowing user is likely to open the ‘text’ file but really runs the executable. On attaching this type of a file to an email message, the extension becomes visible. But an unsophisticated user will save the attachment and-voila-no more ‘shs’ extension! It will look fine! But double-clicking it will wreak havoc. 

Because Windows normally hides the SHS extension, you have to select the file or properties menu to see it. Many users have never even heard of it. Thus, even though SHS files can contain directly executable content, users might well click on it, disguised or not, without a second thought. Further, many commercial anti-virus applications do not scan SHS files by default and must be manually adjusted to include ‘scraps’ in their scans. 

And it is not just SHS files. Trojan-horse infectors can reside in a wide variety of files with lesser known or seemingly benign file extensions. For example, a few months back, some malicious souls started circulating the Melissa virus in RTF, rather than the more common DOC files. Some companies and users who had religiously updated their virus definitions to include the Melissa signature got infected anyway because their anti-virus applications did not scan RTF files, by default. By the way, two new strains of Melissa were discovered recently. So it is a safe bet that the RTF exploit will turn up again and soon. 

Anti-virus assistance
The major anti-virus software vendor sites carry very little information on SHS and similar vulnerabilities. The Symantec or Norton site did have some information buried pretty deep, but a search in the Computer Associates, Trend Micro and McAfee anti-virus sites, for example, turned up exactly zero hits on ‘SHS’. 

The Symantec recommendations are good, once you find them, and they actually apply to just about any anti-virus application. They suggest that you scan ‘all files’ even though the software’s default may be to scan only common executables. But many know that scanning all files sometimes means half a day’s job. In a typical medium size environment consisting of 1000
workstations, options like these do not make sense. If scanning all files takes too long, Symantec recommends that you manually adjust your software to include all these extensions in your scans–386, ADT, BIN, CBT, CLA, COM, CPL, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MSO, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL. Only a fraction of those extensions are included by default.

Viruses no longer need to be hidden in .exe files. The recent announcement by AOL, that the ICQ Trojan password virus which sits in the registry comes embedded in a .jpg file, was a revelation to many. Many anti-virus software companies are posting weekly updates of definition files tackling newcomers everyday. All in all, it means more security, more precaution, more
proactiveness and more work adding to the misery of systems and network managers. 

More virus
Mid-November saw the emergence of a long-feared new breed of computer virus. The so-called BubbleBoy virus infects internet users when they open, or even simply preview an infected email. Historically we have always believed that as long as you do not open attachments, you are safe. But that is not true any more. BubbleBoy is a ‘proof of concept’ virus that has no dangerous 
payload, meaning it does not attempt to delete or alter files. But it does have the ability to create a ‘Melissa-like’ mail storm as it sends copies of itself to every email address in the victim’s address book.

Questions on security 
For over a year, security experts have raised the concern that email itself, rather than an email attachment, can transmit a computer virus. The problems are caused by email readers who render HTML, like Microsoft’s Outlook or Eudora Pro. Since these programs allow web-page-like formatting within the body of the message, they
also allow execution of code. 

With Outlook Express, that code can be executed even before the message is open, thanks to the ‘preview pane’ included with the software.

This brings one to the basic question of computing safety in an age of viruses. Is the attached file from a friend, really a friend of a friend? Things like–a friend, who told a friend, who told a friend… can mean worldwide transmission of a virus in less than a week. In all of this, my contention has been very simple. I always remember the basic things, which my mother taught me–‘never take chocolates from strangers!’

Yateen Chodnekar
Network Manager
Hongkong Shanghai Banking Corp, Tokyo

Leave a Reply

Your email address will not be published. Required fields are marked *