The LangaList

The Danger Of Stealth Executables

"SHS" and other little-known or seemingly-benign file types (often completely ignored by antivirus apps) can disguise malicious executables and macro viruses!

Doug Findlay, a reader from Canada, recently had an eye-opening experience that's instructive to us all:

Fred:

I recently came across something that concerned me VERY much - and could possibly be used to cause damage or execute viruses etc. on a user's machine.

Recently, a friend sent me a harmless executable file (it was a sound bite), but it was embedded in an MS Word 97 document. To hear the sound bite was frustrating, requiring me to load MS Word and then double-clicking on the embedded file. So, in MS Word, I selected the executable that was embedded in the document, copied it and pasted it to my desktop.

Not surprisingly, it showed up as an MS Word "Scrap," file. The file extension for scrap files is ".shs". For some reason, Windows hides this file extension.

So, with a file named "Scrap" on the desktop, double-clicking it ran the executable without problem. In fact, I tried changing the name of the file to something else, with a different extension (i.e. ".bmp"). Renaming it "test.bmp", the icon remained the same and the new name appeared, once again with the ".shs" extension hidden. Now it appeared as a harmless image file - however, double-clicking it ran the executable as before.

Call me paranoid, but could I not do the same thing with a more sinister executable and rename it as a ".txt" file? The "scrap" icon looks like a text file icon - and an unknowing user would open the 'text' file, but really run the executable.

When attaching this type of file to an email message, the extension becomes visible - but an unsophisticated user would go ahead and save the attachment and voila - no more "shs" extension! Looks fine! Double-click and whammo.

Doug's right. Because Windows normally hides the SHS extension (you have to select file/properties to see it) many users have never even heard of it. Thus, even though SHS files can contain directly executable content, users might well click on an SHS file (disguised or not) without a second thought.

What's more, many commercial antivirus apps do not scan SHS files by default, and must be manually adjusted to include "Scraps" in their scans.

And it's not just SHS files. Trojan-horse infectors can reside in a wide variety of files with little-known, or seemingly-benign file extensions. For example, if you follow antivirus activity, you may recall that a few months back some malicious souls started circulating the Melissa virus in RTF rather than the more common DOC files. Some enterprises and users who had religiously updated their virus definitions to include the Melissa signature got infected anyway because their antivirus apps, by default, didn't scan RTF files. (By the way, two new strains of Melissa were discovered just last week, so it's a safe bet that the RTF exploit will turn up again, and soon….)

I checked the major antivirus vendor sites and found very little on SHS and similar vulnerabilities. The Symantec/Norton site did have some information buried pretty deep, but a search of the Computer Associates, Trend Micro and McAfee antivirus sites, for example, turned up exactly zero hits on "SHS."

In this week's InformationWeek column, I'll  give you the full story, and tell you what I've learned, including two essential adjustments you can make to your antivirus application that will allow it to catch these stealth files in its normal sweeps.

Once you've protected yourself,  join the discussion: Were you aware of the SHS and RTF exploits? Are there other exploits you know of that you can share? Do you use centralized antivirus protection at the server or firewall, or desktop-level protection, or both? How commonly do you encounter viruses? And: Is constant anti-virus monitoring (as a background process) worth the cost in system resources, or is once-a-day, idle-time scanning sufficient? 

For the column and discussion, click to:
http://www.informationweek.com/langaletter

return to top of page

--------------( Please Visit This LangaList Sponsor!) ------------

--------------( the above is a paid advertisement )--------------

Last issue, I told you about a patch for the "IFRAME ExecCommand" Vulnerability.

I had successfully downloaded the patch from the site at ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/x86/q243638.exe 
but the day my newsletter went out, that page (on the Microsoft server) died: That URL now gives a "page not found" error.

The error is Microsoft's: I correctly copied the URL from a Microsoft security bulletin. In fact that bulletin is still posted at http://www.microsoft.com/security/bulletins/MS99-042faq.asp , and it still lists the same (dead) link that I told you about.

I apologize, but there's nothing I can do if pages break on someone else's site after I've visited them. It happens. Sigh.

I'll let you know if/when the patch page becomes available again.

return to top of page

Last Days Of DOS

Well, we're in the final few days of the DOS "low memory" discussion (on the WinMag site), anyway. <g>

Using the tips there, some readers have freed up as much as 25% more "low memory" on their PCs. I myself got an extra 10% by following the tips. It's all easy, and FREE. 

If you want to gain more "low" memory for free or just learn more about Autoexec and Config files, click on over to the WinMag site for more info and fully-formatted, cut-and-paste ready samples. If you're a DOS Expert, please join in to share your best DOS tips, tricks, batch files, and tweaks. If you're a DOS Novice, please read the column and then post your questions and comments. Let's help each other at http://content.techweb.com/winmag//columns/fred/1999/1011.htm

return to top of page

-------------( Please Visit This LangaList Sponsor!) ------------

--------------( the above is a paid advertisement )--------------

Two New(?) Windows Update Items 

Windows Update uses a "Wizard" to sniff what Windows and IE patches are already on your system; it then presents you with a custom menu that lists the patches the Wizard thinks are most appropriate for you.

That's mostly a good thing, except that two people can visit the Update site and get two very different lists of patches. It makes it hard to share patch info because what shows up on my system may or may not show up on yours.

Also, the Wizard is sometimes less than wonderful in its accuracy, and sometimes will either fail to offer you a patch you should have, or it may re-offer a patch you've already applied.

For example, the Update site recommended two "critical updates" to me this week:

1) Windows 98 Second Edition Shutdown Supplement: "The Shutdown Supplement addresses shutdown issues on systems with hardware/software configurations specific to Windows 98 Second Edition. Installing this update will resolve such issues as systems restarting when "Shut down" is selected and systems hanging during shutdown."

2) Internet Explorer Security Update: "This update eliminates two security vulnerabilities in Internet Explorer: 1) ImportExportFavorites Issue and 2) Unsafe ActiveX Controls. Installing this update will prevent a web site operator from writing malicious files to your computer and, it will also prevent a web site from running several unsafe ActiveX controls without your permission."

Curiously, I'd already installed both of these, but perhaps some system change I'd made either de-installed them, or (more likely) altered the record of the installation so the Wizard didn't know I'd already downloaded the patches.

In any case, reinstalling does no harm, and that's what I did. You may want to click on over to the Update site and see what it thinks you need, too.

If you have trouble accessing Windows update, try the fixes listed here: http://content.techweb.com/winmag//fixes/1999/1099/winup.htm

Or, as an alternative, you can get most of the patches manually at http://www.microsoft.com/windows98/downloads/corporate.asp 

return to top of page

More Info On "Millennium" (the Successor to Win98)

A Millennium beta tester who offered some inside info a month or so ago (see http://www.langa.com/newsletters/sep-13-99.htm#millenium ) wrote again. Here's the new scoop:

Beta testers are questioning the value of Millennium sans UI update. Speed and reliability aside, it's looking more and more like a maintenance release.

MS seems very sensitive to this criticism but seem unwilling or unable to do anything about it.

With MS' delay of the new UI, once again stalling progress, the time seems ripe for an OS alternative that can take advantage of today's hardware and a provide an interface bored users are looking for.

Unfortunately, there doesn't seem to be anyone stepping up to the plate to fill MS' void. And this is when MS becomes so lackadaisical and non-innovative; when there's no competition.

My current opinion is that without a new UI, and/or some major capability not yet seen, users should not even consider paying more than the cost of the CD for Millennium.

I read WinMag's millennium article. Millennium may be 20% faster, twice as fast in "some" areas. 20% overall. Suggesting that users will see double performance by applying the maintenance release is far from reality at this point.

Thanks for writing (you know who you are!)

return to top of page

Don’t Make Me Beg! 8-)

If you think the LangaList is a worthwhile read, just use the following link to recommend the LangaList to a friend. Your friend just may find a new source of useful information; I just may gain a new subscriber; and you just may win a Palm III organizer for your trouble (full details also available via this link):

http://www.langa.com/recommend.htm#1

Or, win a copy of "Poor Richard's E-Mail Publishing: Creating Newsletters, Bulletins, Discussion Groups and Other Powerful Communications Tools." This book has been described as "An excellent, straightforward manual on email publishing, banner ads, driving traffic and especially ethics." (Full details also available via this link):

http://www.langa.com/recommend.htm#2 

Either way, thank you, and good luck!

return to top of page

Search Engine Humor

Reader Jonas S. Madsen (who also contributed this issue's "Just For Grins" item) sends along this preconfigured search using the Google search engine: The search asks Google for pages relating to someone or something "more evil than Satan himself."

The results are, to say the least, odd. Someone at Google has a sense of humor!

http://www.google.com/search?q=more+evil+than+satan+himself

return to top of page

-------------( Please Visit This LangaList Sponsor!) ------------

--------------( the above is a paid advertisement )--------------

Exploring The Registry

The Windows "registry" is a mystery to many users. For example, reader Geoffrey Mason wrote:

Fred - If you think it appropriate would you please put in a few lines on changing something in the REGISTRY (Win 95) I have opened it with REGEDIT but don't know where to go from there. I merely need to delete a couple of lines but can find nothing in the manuals that tells me how to do it. help.

In fact, Microsoft mostly tells you NOT to edit the registry. But with a good guide, it's not hard, and it can let you configure, improve and repair your PC in ways you simply can't do otherwise. 

For example, sometimes, after installing IE5, you can't uninstall it; it vanishes off your add/delete list. But with the right registry tweak, you can root it out.

A decent guide to the registry would fill a book--- and I know of two excellent ones by former WinMag columnist John Woram. I have them both, and highly recommend them. Here's how Amazon.Com describes them:

"For all of Microsoft's warnings about editing the Registry, it remains the most powerful, the most versatile--and often, the only--way to troubleshoot and customize your Windows PC. Try it! With the expert advice of Registry guru, John Woram, you'll quickly gain the know-how you need to navigate the maze of HKEYs, subkeys, and data strings with complete confidence. Clearly organized and well illustrated, [this book] takes the mystery out of the Registry, giving you a clear, detailed roadmap and straight-forward directions."

You can read more or even order a copy of the books, (at a 20% discount!), here:

The Windows 98 Registry : A Survival Guide for Users http://www.amazon.com/exec/obidos/ASIN/1558285911/langacom

The Windows 95 Registry : A Survival Guide for Users
http://www.amazon.com/exec/obidos/ASIN/155828494X/langacom

You also can find more book info here:
http://www.langa.com/books.htm

return to top of page

Just For Grins

Mountain View, CA -- Sun Microsystems today filed a trademark infringement against the island of Java* over the use of Sun's Java* trademark.

Responding to criticism that the island has been called Java* for centuries, Sun lawyer Frank Cheatham said "Yeah, and in all that time they never filed for a trademark. They deserve to lose the name."

Rather than pay the licensing fee, the island decided to change its name. They originally voted to change it to Visu Albasic, but an angry telegram from Redmond, Washington convinced them otherwise. The country finally settled on a symbol for a name -- a neatly-colored coffee cup which still evokes the idea of java. Since most newspapers and magazines will not be able to print the name of the island, it will hereafter be referred to in print as "The Island Formerly Known As Java*".

Lawyers from Sun would also like to locate the owners of the huge fiery ball at the center of the solar system. They have some legal papers for them....

--------------------------------

*Java is a Trademark of Sun Microsystems, Inc. Anyone caught using the trademark without permission will be beaten, flogged, sued, and forced to use Microsoft products.

return to top of page

See you next issue!