Triple extensions and the Sad Hound virus | ||
|
While it hasnt made much of an impact, the Sad
Hound has exposed a flaw in Microsoft Outlook Express. We can expect to see
a few more using the same trick. Posted 10 February, 2003. Since the Kournikova virus spread two years ago, weve
seen a number of viruses using double extension
attachments. This is where the infected attachment pretends to be a legitimate
file. The give away is the attachments icon that tells you what the file
really is. To get around this give-away, the Sad Hound uses triple
extensions. There is a bug in Outlook Express where the icon will appear
as the third extension while the system actually runs the second extension.
So checking the icon is not enough. The Kournikova worm sent an attachment called AnnaKournikova.jpg.vbs.
This meant it pretend to be a jpeg picture file while it was actually a Visual
Basic Script. On first glance the file is a picture, but the icon would have
appeared as a vbs . On the other hand the Sad Hound virus sends an attachment
called missingyou.htm.pif.htm. In Microsoft Outlook the icon will appear
to be a webpage while actually running as a pif. It is hard to think of any
legitimate reason why a PIF would be included as an e-mail attachment. You should not open any attachment that has multiple extensions.
Any file with more than one full stop in it should be treated as a probable
virus. But keep in mind that the virus writers are coming up with new tricks
all the time. To minimise the risks of viruses always make sure you update
your virus checker before updating your system each morning. Keep your operating
system up to date and dont open any attachment that appears vaguely suspicious.
A little suspicion when checking your mail could save hours of frustration and
lost work.
PC Rescue Pty Ltd
Suite 236, 4 Young Street Neutral Bay NSW 2089
ABN 082 635 765
ŠTechnology Publishing Australia, 2011