Invisible file extensions on Windows
By Floydman,
Bachelor in Computer Sciences
floydian_99@yahoo.com
Floydman@hacker.am
May 7th, 2001

You can distribute this document freely, as long as no changes are made to the file, or as long as credit for it is not pretended by someone else.  All comments and suggestions about the material presented here should be directed at floydian_99@yahoo.com.  If future versions of this document include add-ons coming from other people than me, then proper credit to the various authors will be clearly identified.  All version updates of this document are to be released by me.

You can find this document online at http://www.geocities.com/floydian_99/

Abstract

The goal of this paper is to present the research I made on invisible file extensions on the Windows operating systems.  After I published my initial research material on various places on the internet, many people pointed me to bits of information that were already known on this topic, but that I didn't know about.  However, the experimentation I made brought this problem on a different angle than the other people's previous work, and somehow complements it.  In this paper, I will put together all I found on this topic so far.  The ultimate goal is to find a)invisible file extensions, and b)can these invisible file extensions are able to run code, and thus be used to propagate a virus.


Preface

A little while ago, I was having a conversation with some of my colleagues about computer viruses.  The "Life Stages" virus was mentionned during the conversation.  This virus disguises itself via a file with extension .SHS, while pretending to be a .TXT file.  This was possible because the .SHS extension is hidden by Windows, even if it is configured to display all files, all extensions (even for known file types) and the file actually passes fot a (almost) real .TXT file.  Following this conversation, I thought to myself "I wonder if there are any other file extensions with this attribute that could potentially be used in a virus design?".  This is what I found so far.

Targeted audience

This document is presented to anyone who has interests in computer security, viruses, operating systems and computing in general.

Special Thanks to : Tony, Ken Brown, JFC, Henri, Seva Gluschenko, Adam L. Simms and a couple others for your input in this paper and pointing me at good directions.  Thanks also to the original researchers who found some of the things explained here.

Table of contents

1. Introduction
2. The .SHS file type
3. The NeverShowExt registry key
4. CLSID
5. The ability to execute code
6. Conclusion
Appendix A. The Perl script
Appendix B. The file extensions list

1. Introduction

A little while ago, I was having a conversation with some of my colleagues about computer viruses.  The "Life Stages" virus was mentionned during the conversation.  This virus disguises itself via a file with extension .SHS, while pretending to be a .TXT file.  This was possible because the .SHS extension is hidden by Windows, even if it is configured to display all files, all extensions (even for known file types) and the file actually passes fot a (almost) real .TXT file.  Following this conversation, I thought to myself "I wonder if there are any other file extensions with this attribute that could potentially be used in a virus design?".

To do this research, someone suggested me that I plunder the registry, since all file extensions are (supposed) to be listed there.  But the registry gives little if no information at all about what is the purpose of a certain file extension in the system, neither about what visual behavior they present to the user (which in turn can use the user gullibility to activate a virus).  What was interesting me if how Windows presents the file via the GUI, not just the list of extensions recognized by Windows.  Also, I didn't really trust the registry to hold all and every file extension it uses all in the same place (after all, we trusted it to display all file information, didn't we?).

It was only after that some people pointed me some research on this topic that was done about a year before.  It turns out that the invisivility is caused by a registry key named NeverShowExt.  Knowing this, finding invisible extensions becomes a breeze, but back then I didn't know this and looking in the registry to find you-don't-exactly-know-what-you're-looking-for was like searching a needle in a haystack.  So I made a Perl script that would generate all possible combinations of 1, 2 and 3 characters long file extensions.  I did not test 4, 5 and more letters file extensions, because I did not have the time to plunder through all the possible combinations.  But as I have been pointed out, the Windows operating system supports file extensions longer than 3 letters (.HTML is the prime example).  Also, the registered file types will vary from one computer to another, since this is tightly related to the installed applications.  Some applications will also rename common known file types to their own application name.  For these reasons, and also because  didn't want to spend the time to put all the extensions names right, I simply put it on the list as it was identified in my Windows Explorer.  This list is given as extra side-information, but should not be considered as "the ultimate windows file extensions list".  But since Seva Gluschenko took the time to send me many corrections, I have updated the list accordingly.

2. The .SHS file type

The most known file type that is invisible is .SHS, since the "Life Stages" virus used this "feature" to camouflage a virus in what looked like an innocent .TXT ascii file.  But the most common invisible file type is used by patically everybody, and that is the .LNK, which are the shortcuts you use on your desktop or menus to open up applications and files.  We use to take these shortcuts as an oblect of the operationg system, but in fact they are only small files, with a hidden .LNK extension appended to it.

So, back to .SHS, it stands for Shell Scrap.  It's an old dinausor from Windows 3.1 that have been mostly unkown until only a couple of years ago.  It is used for OLE (Object Linking and Embedding), and using a Shell Scrap, you can just include any file you want, even an executable, in a Word document, for example, and the system will open it for you.  The .SHS file will bear an icon ressembling somewhat the one of Notepad, but still slightly different (the bottom of the page is ripped).  The .SHS extension itself is invisible, as we said, so you can make it look like it is something else.

For an excellent overview of Shell Scraps, see http://www.pc-help.org/security/scrap.htm.

3. The NeverShowExt registry key

At this point, I should clarify that when I say that a file extension is invisible, I mean that it is not showing in Windows Explorer, even if you have specified every configuration options to display everything there is to display("Show hidden files and folders", "Hide file extensions for known file types", "Hide protected operating system files").  Although, if you look at these file by displaying the content of a directory in a DOS box, then you'll see the whole filename and extension(s).  The component in Windows that makes some files display this kind of behavior is a registry key named NeverShowExt.  Here is an example of how this is used in the registry:

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object"	REG_SZ  
"NeverShowExt"="" 	REG_SZ  

Here are the file extensions that were invisible (or displayed other non standard behavior) by default on my system:

.cnf	SpeedDial (Extension not visible)
.lnk	Shortcut (Extension not visible)
.mad	Microsoft Access Module Shortcut (Extension not visible)
.maf	Microsoft Access Form Shortcut (Extension not visible)
.mag	Microsoft Access Diagram Shortcut (Extension not visible)
.mam	Microsoft Access Macro Shortcut (Extension not visible)
.maq	Microsoft Access Query Shortcut (Extension not visible)
.mar	Microsoft Access Report Shortcut (Extension not visible)
.mas	Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat	Microsoft Access Table Shortcut (Extension not visible)
.mav	Microsoft Access View Shortcut (Extension not visible)
.maw	Microsoft Access Data Access Page Shortcut (Extension not visible)
.pif	Shortcut to MS-DOS Program (Extension not visible)
.scf	Windows Explorer Command (Extension not visible, generic icon)
.shb	Shortcut into a document (Extension not visible)
.shs	Scrap object (Extension not visible)
.uls	Internet Location Service (generic icon)
.url	Internet Shortcut (Extension not visible)
.xnk	Exchange Shortcut (Extension not visible)

Here is a command line directory listing of some test files I made:

dir test.*
Directory of C:\TEMP
2001-03-30  12:49                    7 test.cnf
2001-03-30  12:49                    7 test.lnk
2001-03-30  12:49                    7 test.mad
2001-03-30  12:49                    7 test.maf
2001-03-30  12:49                    7 test.mag
2001-03-30  12:49                    7 test.mam
2001-03-30  12:49                    7 test.maq
2001-03-30  12:49                    7 test.mar
2001-03-30  12:49                    7 test.mas
2001-03-30  12:49                    7 test.mat
2001-03-30  12:49                    7 test.mav
2001-03-30  12:49                    7 test.maw
2001-03-30  12:49                    7 test.pif
2001-03-30  12:49                    7 test.scf
2001-03-30  12:49                    7 test.shb
2001-03-30  12:49                   14 test.shs
2001-03-30  12:43                    7 test.shs.txt
2001-03-30  12:42                    7 test.txt
2001-03-30  12:42                    7 test.txt.shs
2001-03-30  12:42                    7 test.uls
2001-03-30  12:49                    7 test.url
2001-03-30  12:49                    7 test.xnk


On the explorer-like tools that look appears as test, test, test, test,
test, test, test, test, test, test, test, test, test, test, test, test,
test.shs.txt, test.txt, test.txt, test.uls, test, test.