Virus comes from the scrap heap
- By Joel Scambray, Stuart McClure
- Jul 11, 2000
"Scrap Files Can Tear You Up"
The LifeChanges virus made its rounds during the week of June 19, and even
though the trail is a little cold, it is instructive of the creativity with
which malicious code is being churned out.
The e-mail message that delivered LifeChanges had various subject lines,
including "FW: joke," and its payload was hidden by a scrap file-based delivery
In their native extension, scrap files appear in Windows with their native
extension, .SHS. With recommended modifications in the Registry file, the
attachment, which normally would appear as "LIFE_CHANGES.TXT," would appear
as "LIFE _CHANGES.TXT.SHS."
SHS files can carry malicious code. Based on Object Linking and Embedding
(OLE), the scrap file also know as a Shell Scrap Object or just Scrap
Object is essentially a wrapper for another embedded object. Objects can
be Excel spreadsheets or even other files.
The easiest way to create one is to embed a file into another OLE-compliant
application (try Wordpad) and then copy its icon to another folder. When
the SHS file is launched, the embedded object is also executed. What's more,
commands can be associated with the embedded object using Microsoft Corp.'s
Object Packager, opening up the entire realm of malicious activities to
anyone halfway familiar with DOS.
The icon for scrap files is also similar to that for text files, further
compounding the confusion. Sent via e-mail, it's hard to tell.
Some advice for blunting the most dangerous aspects of scrap files is available
on PCHelp, which includes the following.
* Delete the NeverShowExt Registry value referenced above and from under
HKLM \SOFTWARE\Classes\DocShortcut, thus making SHS and SHB extensions visible
in Windows. (SHB files perform similarly to SHS.)
* Update antivirus scanners to look at SHS and SHB files in addition to
other executable file types.
* Disable scrap files entirely by either removing them from the list of
known Windows file types or deleting the shscrap.dll file in your System
Stuart McClure is president and chief technology officer and Joel Scambray
is managing principal at security consultant Foundstone Inc.
Copyright 2000 InfoWorld, International Data
Group Inc. All rights reserved.