Virus comes from the scrap heap

"Scrap Files Can Tear You Up"

The LifeChanges virus made its rounds during the week of June 19, and even though the trail is a little cold, it is instructive of the creativity with which malicious code is being churned out.

The e-mail message that delivered LifeChanges had various subject lines, including "FW: joke," and its payload was hidden by a scrap file-based delivery mechanism.

In their native extension, scrap files appear in Windows with their native extension, .SHS. With recommended modifications in the Registry file, the attachment, which normally would appear as "LIFE_CHANGES.TXT," would appear as "LIFE _CHANGES.TXT.SHS."

SHS files can carry malicious code. Based on Object Linking and Embedding (OLE), the scrap file — also know as a Shell Scrap Object or just Scrap Object — is essentially a wrapper for another embedded object. Objects can be Excel spreadsheets or even other files.

The easiest way to create one is to embed a file into another OLE-compliant application (try Wordpad) and then copy its icon to another folder. When the SHS file is launched, the embedded object is also executed. What's more, commands can be associated with the embedded object using Microsoft Corp.'s Object Packager, opening up the entire realm of malicious activities to anyone halfway familiar with DOS.

The icon for scrap files is also similar to that for text files, further compounding the confusion. Sent via e-mail, it's hard to tell.

Some advice for blunting the most dangerous aspects of scrap files is available on PCHelp, which includes the following.

* Delete the NeverShowExt Registry value referenced above and from under HKLM \SOFTWARE\Classes\DocShortcut, thus making SHS and SHB extensions visible in Windows. (SHB files perform similarly to SHS.)

* Update antivirus scanners to look at SHS and SHB files in addition to other executable file types.

* Disable scrap files entirely by either removing them from the list of known Windows file types or deleting the shscrap.dll file in your System folder.

Stuart McClure is president and chief technology officer and Joel Scambray is managing principal at security consultant Foundstone Inc.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.