A little while ago, I was having a conversation with some of my colleagues
about computer viruses. The "Life Stages" virus was mentionned during the
conversation. This virus disguises itself via a file with extension .SHS,
while pretending to be a .TXT file. This was possible because the .SHS
extension is hidden by Windows, even if it is configured to display all
files, all extensions (even for known file types). .SHS stands for "shell
scrap", which means that it is possible to use these files to execute
commands on a computer (which is what the virus did). Following this
discussion, I thought to myself "I wonder if there are any other file
extensions with these attributes that could potentially be used in a virus
design?". To do this research, someone suggested me that I plunder the
registry, since all file extensions are (supposed) to be listed there. But
the registry gives little if no information at all about what is the
purpose of a certain file extension in the system, neither about what
visual behavior they present to the user (which in turn can use the user
gullibility to activate a virus). What was interesting me if how Windows
presents the file via the GUI, not just the list of extensions recognized
by Windows. Also, I didn't really trust the registry to hold all and every
file extension it uses all in the same place (after all, we trusted it to
display all file information, didn't we?).
In order to solve my problem, I made a small Perl script that generates
dummy files wearing all possible file extensions under Windows. I included
special characters in my analysis, to be sure that nothing is
overlooked. The program is displayed below. That version is for
3-characters extensions, remove one or two loops to make 2-characters and
1-character extensions. For analysis clarity, I sorted the files under
folders starting by the first letter of the extension. This is necessary
for having decent refresh times from Windows Explorer.
#!C:\perl
@alpha=("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","0","1","2","3","4","5","6","7","8","9","\$","_",")","(","&","^","%","#","@","!","'","-","=","+",";","[","]","{","}");
for($i=0;$i<55;$i++)
{
mkdir $alpha[$i];
chdir $alpha[$i];
for($j=0;$j<55;$j++)
{for($k=0;$k<55;$k++)
{
$ext=$alpha[$i].$alpha[$j].$alpha[$k];
$filename="test.".$ext;
open (TESTFILE, ">>".$filename);
print TESTFILE "bla";
print "#";
close (TESTFILE);
}
}
chdir "..";
}
Once these extensions were generated, I examined all 169 455 combinations
through Windows Explorer, in order to determine the system behavior towards
these files. The biggest majority of these files turned out to be generic
file extensions, meaning that no application is associated with them, and
as such represents no harm in the aspect of this research. So I proceeded
to extract all file extensions that Windows knew something about, by
examining the file icon and file description. Some of these extensions are
native to the Windows operating system, some others are the result of
application softwares installed on my machine. For this reason, we can't
qualify this list as "the ultimate file extension list under Windows",
since a system configured for different needs would have produced a
different list. However, the list presented here is somewhat complete and
is a good reference material. Some apllication softwares also identify
some file extensions clearly with the application, instead of the more
generic extension name (for example, .wav is labeled WinAmp media file). I
did not take the time to correct these entries, since the majority of the
readers should be able to tell what the file extension is about.
From this list, I extracted the file extensions that were
displaying behavior different from the norm, which was my first goal to
start with. In fact, an interesting number of these extensions showed up,
which means that viruses similar to "Life Stages" could still appear, under
a new file extension that could trick users. Here is the list of the
offending culprits:
.cnf SpeedDial (Extension not visible)
.lnk Shortcut (Extension not visible)
.mad Microsoft Access Module Shortcut (Extension not visible)
.maf Microsoft Access Form Shortcut (Extension not visible)
.mag Microsoft Access Diagram Shortcut (Extension not visible)
.mam Microsoft Access Macro Shortcut (Extension not visible)
.maq Microsoft Access Query Shortcut (Extension not visible)
.mar Microsoft Access Report Shortcut (Extension not visible)
.mas Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat Microsoft Access Table Shortcut (Extension not visible)
.mav Microsoft Access View Shortcut (Extension not visible)
.maw Microsoft Access Data Access Page Shortcut (Extension not visible)
.pif Shortcut to MS-DOS Program (Extension not visible)
.scf Windows Explorer Command (Extension not visible, generic icon)
.shb Shortcut into a document (Extension not visible)
.shs Scrap object (Extension not visible)
.uls Internet Location Service (generic icon)
.url Internet Shortcut (Extension not visible)
.xnk Exchange Shortcut (Extension not visible)
At this time, I only did some preliminary tests in order to find out if
these extensions could be used as a transmission medium for viruses. For
example, would it be possible to craft a .cnf (SpeedDial) file in order to
make it hang up the modem and make it dial to an overseas number or to a
paying phone service, in order to perform telephone fraud? The answer
seems to be yes, but under some very restraining conditions only
(NetMeeting needs to be installed and configured to use a phone line via a
gateway), which makes it very improbable. .SCF files, by its name (Windows
Explorer Command), seems interesting also, but this extension is available
only under a certain Service Pack (applying SP6a makes this extension
become useless). It is interesting that a big proportions of invisible
extensions are associated to MS-Access. .SHB files seem interesting also,
but I never had the time so far to test any of these file extensions for
exploitability. However, I am convinced that sometime we will see a virus
disguised as some other kind of file using one of these extensions above.
Here is the list of all file extensions found during this experiment:
.c C source code
.h C definition code
.z WinZip file
.as Test file
.au AU Format Sound
.gz WinZip file
.ht Hyper Terminal file
.it WinAmp media file
.js JScript file
.pl Perl file
.ps PS File
.qt Video Clip
.tz WinZip file
.uu WinZip file
.wm Windows Media Audio/Video File
.xm WinAmp media file
.z0 Z0 file (ZoneAlarm)
.z1 Z1 file (ZoneAlarm)
.323 H.323 Internet Telephony
.386 Virtual Device Driver
.669 WinAmp media file
.aca Microsoft Agent Character file
.acf Microsoft Agent Character file
.acg Microsoft Agent Preview file
.acs Microsoft Agent Character file
.ade Microsoft Access Project Extension
.adn Microsoft Access Blank Project Template
.adp Microsoft Access Project
.aif Sound Clip
.ani Animated Cursor
.arc Winzip File
.arj Winzip File
.art ART image
.asa Active Server Document
.asf Streaming Audio/Video File
.asp Active Server Document
.asx Streaming Audio/Video shortcut
.avi Video clip
.awd Fax Viewer Document
.b64 WinZip file
.bat MD-DOS Batch file
.bhx WinZip file
.bmp Bitmap Image
.cab WinZip file
.cat Security Catalog
.cda WinAmo media file
.cdf Channel File
.cdx Active Server Document
.cer Security Certificate
.chm Compiled HTML Help file
.cil Clip Gallery Download Package
.cnf SpeedDial (Extension not visible)
.com MS-DOS Application
.cpl Control Panel extension
.crl Certificate Revocation List
.crt Security Certificate
.css Cascading Style Sheet Document
.csv Microsoft Excel Comma Separated Values file
.cur Cursor
.dcx DCX Image Document
.der Security Certificate
.dic Text Document
.dif Microsoft Excel Data Interchange Format
.dll Application Extension
.doc Microsift Word Document
.dot Microsoft Word Template
.dqy Microsoft Excel ODBC Query file
.drv Device Driver
.dsm WinAmp media file
.dsn Microsift OLE DB Provider for ODBC Drivers
.dun Dial-Up Networking Exported file
.eml Outlook Express Mail Message
.exc Text Document
.exe Application
.far WinAmp media file
.fav Outlook Bar Shortcuts
.fdf Adobe Acrobat Forms Document
.fnd Saved Search
.fon Font file
.gfi GFI File
.gfx GFX File
.gif GIF Image
.gim GIM File
.gix GIX File
.gna GNA File
.gnx GNX File
.gra Microsoft Graph 2000 Chart
.grp Microsoft Program Group
.gwx GWX File
.gwz GWZ File
.hlp Help File
.hqx WinZip File
.hta HTML Application
.htm Microsoft HTML Document 5.0
.htt HyperText Template
.htx Internet Database Connector HTML Template
.icc ICC Profile
.icm ICC Profile
.ics iCalendar File
.idf MIDI Instrument Definition
.iii Intel IPhone Compatible
.inf Setup information
.ini Configuration Settings
.ins Internet Communication Settings
.iqy Microsoft Excel Web Query File
.isp Internet Communication Setting
.its Internet Document Set
.ivf IVF File
.job Task Scheduler Task Object
.jod Microsoft.Jet.OLEDB.4.0
.jpe JPEG Image
.jpg JPEG Image
.lnk Shortcut (Extension not visible)
.lsf Streaming Audio/Video file
.lsx Streaming Audio/Video shortcut
.lwv Microsoft Linguistically Enhanced Sound File
.lzh WinZip File
.m1v Movie Clip
.m3u WinAmp Playlist file
.mad Microsoft Access Module Shortcut (Extension not visible)
.maf Microsoft Access Form Shortcut (Extension not visible)
.mag Microsoft Access Diagram Shortcut (Extension not visible)
.mam Microsoft Access Macro Shortcut (Extension not visible)
.maq Microsoft Access Query Shortcut (Extension not visible)
.mar Microsoft Access Report Shortcut (Extension not visible)
.mas Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat Microsoft Access Table Shortcut (Extension not visible)
.mav Microsoft Access View Shortcut (Extension not visible)
.maw Microsoft Access Data Access Page Shortcut (Extension not visible)
.mda Microsoft Access Add-in
.mdb Microsoft Access Application
.mde Microsoft Access MDE Database
.mdn Microsoft Access Blank Database Template
.mdt Microsoft Access Add-in data
.mdw Microsoft Access Workgroup Information
.mdz Microsoft Access Database Wizard Template
.mht Microsoft MHTML Document Document 5.0
.mid WinAmp media file
.mim WinZip file
.mmc Medias Catalog
.mod WinAmp Media file
.mov Video Clip
.mp1 Winamp Media file
.mp2 WinAmp Media file
.mp3 Winamp Media file
.mpa Movie Clip
.mpe Movie Clip
.mpg Movie Clip
.msc MSC File
.msg Outlook Item
.msi Windows Installer Package
.msp Windows Installer Patch
.mtm WinAmp Media file
.nsc NSC File
.nws Outlook Express News Message
.oft Outlook Item Template
.opx MS Organization Chart 2.0
.oqy Microsoft Excal OLAP Query File
.oss Office Search
.p10 Certificate Request
.p12 Personnal Information Exchange
.p7b PKCS #7 Certificates
.p7m PKCS #7 MIME Message
.p7r Certificate Request Response
.p7s PKCS #7 Signature
.pcx PCX Image Document
.pdf Adobe Acrobat Document
.pfx Personnal Information Exchange
.pif Shortcut to MS-DOS Program (Extension not visible)
.pko Public Key Security Object
.pls Winamp Playlist file
.png PNG Image
.pot Microsoft PowerPoint Template
.ppa Microsoft PowerPoint Addin
.pps Microsoft PowerPoint Slide Show
.ppt Microsoft PowerPoint Presentation
.prf PICSRules File
.pwz Microsoft PowerPoint Wizard
.qcp QUALCOMM PureVoice File
.que Task Scheduler Queue Object
.rat Rating System File
.reg Registration Entries
.rmf Adobe Webbuy Plugin
.rmi MIDI Sequence
.rqy Microsoft Excel OLE DB Query files
.rtf Rich Text Format
.s3m WinAmp Media file
.scf Windows Explorer Command (Extension not visible, generic icon)
.scp Dial-Up Networking Script
.scr Screen Saver File
.sct Windows Script Component
.shb Shortcut into a document (Extension not visible)
.shf PGP Share
.shs Scrap object (Extension not visible)
.sig PGP Detached signature file
.skr PGP Private Keyring
.slk Microsoft Excel SLK Data Import Format
.snd AU Format Sound
.snp Snapshot File
.spa Flash Movie
.spc PKCS #7 Certificates
.spl Shockwave Flash Object
.sst Certificate Store
.sta sta file (Eudora)
.stl Certificate Trust List
.stm WinAmp media file
.swf Shockwave Flash Object
.swt Generator Template
.sys System file
.tar WinZip file
.taz WinZip file
.tgz WinZip file
.tif TIF Image Document
.ttf TrueType Font file
.txt Text Document
.udl Microsoft Data Link
.uls Internet Location Service (generic icon)
.ult Winamp media file
.url Internet Shortcut (Extension not visible)
.uue Winzip File
.vcf vCard File
.vcs vCalendar File
.voc Winamp Medias file
.vsd VISIO 5 drawing
.vss VISIO 5 drawing
.vst VISIO 5 drawing
.vsw VISIO 5 drawing
.vxd Virtual device driver
.wab Address Book File
.wav Winamp media file
.wbk Microsoft Word Backup Document
.wht Microsoft NetMeeting Whiteboard Document
.wif WIF Image Document
.wiz Microsoft Word Wizard
.wlg Dr. Watson Log
.wma Winamp media file
.wpz Winamp extension installation file
.wri Write Document
.wsc Windows Script Component
.wsz Winamp extension installation file
.xif XIF Image Document
.xla Microsoft Excel Add-in
.xlb Microsoft Excel Worksheet
.xlc Microsoft Excel Chart
.xld Microsoft Excel 5.0 DialogSheet
.xlk Microsoft Excel Backup File
.xll Microsoft Excel XLL
.xlm Microsoft Excel 4.0 Macro
.xls Microsoft Excel Worksheet
.xlt Microsoft Excel Template
.xlv Microsoft Excel VBA Module
.xlw Microsoft Excel Workspace
.xml XML Document
.xnk Exchange Shortcut (Extension not visible)
.xsl XSL Stylesheet
.xxe Winzip file
.zip Winzip file
.zl0 ... .zly ZoneAlarm Mailsafe file
