Virus comes from the scrap heap

Featured eBooks
AI in the Workplace
Read Now

CX in Action

Read Now

Next Steps for CMMC

Read Now
By Joel Scambray and Stuart McClure

By Joel Scambray and Stuart McClure

|

The LifeChanges virus made its rounds during the week of June 19, and even though the trail is a little cold, it is instructive of the creativity with which malicious code is being churned out.

"Scrap Files Can Tear You Up"

Related Links

FCW's "love bug" coverage

"Pa. makes spreading computer viruses illegal"

The LifeChanges virus made its rounds during the week of June 19, and even though the trail is a little cold, it is instructive of the creativity with which malicious code is being churned out.

The e-mail message that delivered LifeChanges had various subject lines, including "FW: joke," and its payload was hidden by a scrap file-based delivery mechanism.

In their native extension, scrap files appear in Windows with their native extension, .SHS. With recommended modifications in the Registry file, the attachment, which normally would appear as "LIFE_CHANGES.TXT," would appear as "LIFE _CHANGES.TXT.SHS."

SHS files can carry malicious code. Based on Object Linking and Embedding (OLE), the scrap file — also know as a Shell Scrap Object or just Scrap Object — is essentially a wrapper for another embedded object. Objects can be Excel spreadsheets or even other files.

The easiest way to create one is to embed a file into another OLE-compliant application (try Wordpad) and then copy its icon to another folder. When the SHS file is launched, the embedded object is also executed. What's more, commands can be associated with the embedded object using Microsoft Corp.'s Object Packager, opening up the entire realm of malicious activities to anyone halfway familiar with DOS.

The icon for scrap files is also similar to that for text files, further compounding the confusion. Sent via e-mail, it's hard to tell.

Some advice for blunting the most dangerous aspects of scrap files is available on PCHelp, which includes the following.

* Delete the NeverShowExt Registry value referenced above and from under HKLM \SOFTWARE\Classes\DocShortcut, thus making SHS and SHB extensions visible in Windows. (SHB files perform similarly to SHS.)

* Update antivirus scanners to look at SHS and SHB files in addition to other executable file types.

* Disable scrap files entirely by either removing them from the list of known Windows file types or deleting the shscrap.dll file in your System folder.

Stuart McClure is president and chief technology officer and Joel Scambray is managing principal at security consultant Foundstone Inc.

Copyright 2000 InfoWorld, International Data Group Inc. All rights reserved.

NEXT STORY: Behind the corporate veil