Triple extensions and the Sad Hound virus

Tips & Hints

While it hasn’t made much of an impact, the Sad Hound has exposed a flaw in Microsoft Outlook Express. We can expect to see a few more using the same trick.

Posted 10 February, 2003.

Since the Kournikova virus spread two years ago, we’ve seen a number of viruses using double extension attachments. This is where the infected attachment pretends to be a legitimate file. The give away is the attachment’s icon that tells you what the file really is.

To get around this give-away, the Sad Hound uses triple extensions. There is a bug in Outlook Express where the icon will appear as the third extension while the system actually runs the second extension. So checking the icon is not enough.

The Kournikova worm sent an attachment called AnnaKournikova.jpg.vbs. This meant it pretend to be a jpeg picture file while it was actually a Visual Basic Script. On first glance the file is a picture, but the icon would have appeared as a vbs .

On the other hand the Sad Hound virus sends an attachment called missingyou.htm.pif.htm. In Microsoft Outlook the icon will appear to be a webpage while actually running as a pif. It is hard to think of any legitimate reason why a PIF would be included as an e-mail attachment.

You should not open any attachment that has multiple extensions. Any file with more than one full stop in it should be treated as a probable virus. But keep in mind that the virus writers are coming up with new tricks all the time.

To minimise the risks of viruses always make sure you update your virus checker before updating your system each morning. Keep your operating system up to date and don’t open any attachment that appears vaguely suspicious. A little suspicion when checking your mail could save hours of frustration and lost work.

PC Rescue Pty Ltd
Suite 236, 4 Young Street Neutral Bay NSW 2089
ABN 082 635 765
ŠTechnology Publishing Australia, 2011