Re: Running program files on XP with non-executable extension?

From: Norman L. DeForest (af380_at_chebucto.ns.ca)
Date: 11/02/05


Date: Wed, 2 Nov 2005 13:04:19 -0400


On Wed, 2 Nov 2005, JS wrote:

> I downloaded a file (let's call it BLUESKY.EXE) which my anti-
> virus guard says may be a virus.
>
> I wanted to get more info about this file, so I disabled it by
> adding a couple of random letters to the extension.
>
> I renamed BLUESKY.EXE to BLUESKY.EXEHJ.
>
> I figured this would stop my XP Pro from running it if I double
> clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
> me about it again. Even with the dummy extension letters! Surely
> such a program file is now safe enough?
>
> --
>
> I found that if I add the random letters *before* the EXE then
> AntiVir PE's guard does not detect it as a virus.
>
> So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
>
> Is this just an oddity in 'AntiVir PE'? Or is this being done
> because of something in XP Pro which might truncate the letters in
> a file's extension after the first three letters?

The file can be found by both its long filename "BLUESKY.EXEHJ" and
by its short DOS-compatable file name (which may be "BLUESKY.EXE" or
"BLUESK~1.EXE"). It's still an executable file as long as its short
name has an executable extension.

The short filename for "BLUESKY.HJEXE" would either be "BLUESKY.HJE"
or "BLUESK~1.HJE".

-- 
Norman De Forest        http://www.chebucto.ns.ca/~af380/Profile.html
"> Is there anything Spamazon DOESN'T sell?
 Clues. The market's too small to justify the effort."
      -- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005