Fwd: [nohack] Yet another way to disguise files.

[dinodrac () WEBTV NET (Josh Rollyson)]

This needs some attention, IMHO.

--
Josh Rollyson
dracus on EFnet and Undernet
dinodrac () magenet com



<STRONG>attached mail follows:</STRONG><HR NOSHADE><P>

Mail from Jim Murray <jim () digitaldaemons net>

Turned up this alarming snippet on usenet today :

<copy>
Windows hides file types for some files even with HideFileTypes turned
off.

Do a search of your registry for the value "NeverShowExt", starting at:
HKEY_LOCAL_MACHINE\Software\CLASSES\
Which is mirrored at:
HKEY_CLASSES_ROOT\
I found that there were 10 occurrences on my (fairly UNLoaded
installation)
ALL of which I have now changed to "AlwaysShowExt"!
If you have much other M$ or Office software on your machine, you may
find more!
& it is quite easy for any program to conceal *any* file extension by
this means!

HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_LOCAL_MACHINE\Software\CLASSES\DocShortcut
HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap
HKEY_LOCAL_MACHINE\Software\CLASSES\lnkfile
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile
HKEY_LOCAL_MACHINE\Software\CLASSES\InternetShortcut
HKEY_LOCAL_MACHINE\Software\CLASSES\SHCmdFile
HKEY_LOCAL_MACHINE\Software\CLASSES\ConferenceLink

The first 3 are for the MAPIMail & DeskLink shortcuts, the 3rd one is
for the My Documents folder.
MapiMail is used for *automatically* sending mails, using whatever is
the "default" email client (via sendmail.dll).
DeskLink is, I think, used for a similar thing.

The last 7 are self-explanatory(?)
& I would venture to suggest that of these, DocShortcut, ShellScrap,
lnk, pif, InternetShortcut & SHCmdFile ARE *definitely* "executable"!!!?

In fact the "action" associated with these is:
DocShortcut
C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL /r /x %1
ShellScrap
C:\WINDOZE\rundll32.exe shscrap.dll,OpenScrap_RunDLL %1
You can guess what the others do?
<g>
Yup, you got it! - Iexplore.exe gets its mitts on them!
So *anything* is possible!

<endcopy>

A little digging on the web revealed that this is a genuine issue, one
that's been known about for some time. Just a couple of the links I
found:

http://www.pc-help.org/security/scrap.htm - Includes demo exploit.
http://www.stiller.com/shs.htm

I know it's not new but as users become more wary of running anything
they see and learn to check file types, exploits using this are probably
going to increase sometime soon.

Jim.


--
 Jim Murray  = jim () digitaldaemons net = jim-mm () dal net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       "If you think the problem is bad now,
         just wait until we've solved it."
-
-
nohack, the cross-IRC-networks Trojan Horses mailing list.
To unsubscribe send mail to majordomo () linuxbox org
with 'unsubscribe nohack' in the message body.