Virus comes from the scrap heap

"Scrap Files Can Tear You Up"

The LifeChanges virus made its rounds during the week of June 19, and even though the trail is a little cold, it is instructive of the creativity with which malicious code is being churned out.

The e-mail message that delivered LifeChanges had various subject lines, including "FW: joke," and its payload was hidden by a scrap file-based delivery mechanism.

In their native extension, scrap files appear in Windows with their native extension, .SHS. With recommended modifications in the Registry file, the attachment, which normally would appear as "LIFE_CHANGES.TXT," would appear as "LIFE _CHANGES.TXT.SHS."

SHS files can carry malicious code. Based on Object Linking and Embedding (OLE), the scrap file — also know as a Shell Scrap Object or just Scrap Object — is essentially a wrapper for another embedded object. Objects can be Excel spreadsheets or even other files.

The easiest way to create one is to embed a file into another OLE-compliant application (try Wordpad) and then copy its icon to another folder. When the SHS file is launched, the embedded object is also executed. What's more, commands can be associated with the embedded object using Microsoft Corp.'s Object Packager, opening up the entire realm of malicious activities to anyone halfway familiar with DOS.

The icon for scrap files is also similar to that for text files, further compounding the confusion. Sent via e-mail, it's hard to tell.

Some advice for blunting the most dangerous aspects of scrap files is available on PCHelp, which includes the following.

* Delete the NeverShowExt Registry value referenced above and from under HKLM \SOFTWARE\Classes\DocShortcut, thus making SHS and SHB extensions visible in Windows. (SHB files perform similarly to SHS.)

* Update antivirus scanners to look at SHS and SHB files in addition to other executable file types.

* Disable scrap files entirely by either removing them from the list of known Windows file types or deleting the shscrap.dll file in your System folder.

Stuart McClure is president and chief technology officer and Joel Scambray is managing principal at security consultant Foundstone Inc.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected