Virus comes from the scrap heap

"Scrap Files Can Tear You Up"

The LifeChanges virus made its rounds during the week of June 19, and even though the trail is a little cold, it is instructive of the creativity with which malicious code is being churned out.

The e-mail message that delivered LifeChanges had various subject lines, including "FW: joke," and its payload was hidden by a scrap file-based delivery mechanism.

In their native extension, scrap files appear in Windows with their native extension, .SHS. With recommended modifications in the Registry file, the attachment, which normally would appear as "LIFE_CHANGES.TXT," would appear as "LIFE _CHANGES.TXT.SHS."

SHS files can carry malicious code. Based on Object Linking and Embedding (OLE), the scrap file — also know as a Shell Scrap Object or just Scrap Object — is essentially a wrapper for another embedded object. Objects can be Excel spreadsheets or even other files.

The easiest way to create one is to embed a file into another OLE-compliant application (try Wordpad) and then copy its icon to another folder. When the SHS file is launched, the embedded object is also executed. What's more, commands can be associated with the embedded object using Microsoft Corp.'s Object Packager, opening up the entire realm of malicious activities to anyone halfway familiar with DOS.

The icon for scrap files is also similar to that for text files, further compounding the confusion. Sent via e-mail, it's hard to tell.

Some advice for blunting the most dangerous aspects of scrap files is available on PCHelp, which includes the following.

* Delete the NeverShowExt Registry value referenced above and from under HKLM \SOFTWARE\Classes\DocShortcut, thus making SHS and SHB extensions visible in Windows. (SHB files perform similarly to SHS.)

* Update antivirus scanners to look at SHS and SHB files in addition to other executable file types.

* Disable scrap files entirely by either removing them from the list of known Windows file types or deleting the shscrap.dll file in your System folder.

Stuart McClure is president and chief technology officer and Joel Scambray is managing principal at security consultant Foundstone Inc.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected