Re: Running program files on XP with non-executable extension?
From: Zvi Netiv (support_at_replace_with_domain.com)
Date: Thu, 03 Nov 2005 19:12:18 +0200
JS <firstname.lastname@example.org> wrote:
> I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> virus guard says may be a virus.
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
Not the brightest idea.
> I figured this would stop my XP Pro from running it if I double
> clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> me about it again. Even with the dummy extension letters! Surely
> such a program file is now safe enough?
Not sure at all. See below.
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?
Nothing to do with XP, particularly, but with how file and extension names are
interpreted by Windows and by various applications.
Here is a little experiment that you can do, that explains the principles
involved: Open the Windows installation directory with Windows Explorer, find
Regedit.exe, and rename it to "Egedit.executable". When still in Explorer's
window, double click the Egedit renamed file and it won't execute, as expected.
Prepare now for a little surprise! Open the CMD shell (by executing CMD from
the desktop 'run' menu), change to XP's base directory (..\WINNT by default) and
issue the command DIR EGEDI* from the command line. The system will return
EGEDIT~1.EXE. Type now just EGEDIT~1, with no extension name, and then press
Enter. REGEDIT will open normally!
What the above experiment shows is that the Explorer and CMD shells, do parse
file and extension names quite differently and whether a file is considered an
executable depends on the parser.
All that your experiment tells is that Antivir PE interprets just the first
three characters of the extension name in order to determine whether the file
type is in the list of extensions that need be verified. Nothing beyond that.
If you want to be safe, then change the extension name to EX~, DL~, SC~ for
castrated exe, dll, and scr, respectively, rather than appending the original
extension name, like you did.
Don't forget to delete Egedit when done with the experiment (Windows will keep
the protected original file, and rename a copy).
-- NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities