Infection

Printable View

August 15th, 2006, 08:27 AM
rock_bill

Infection

Why and How files other than .exe can infect any computer??????? :confused: :confused:
August 15th, 2006, 08:54 AM
nihil

Quote:

Why and How files other than .exe can infect any computer???????

Hello Bill, old chap...........I will guess your location to be close to Mumbai? (profile :))

Your answer is that other files execute? like .com, .bat, .reg, and so on?

That is where your vulnerabilities lie?

;)
August 15th, 2006, 09:06 AM
rock_bill

Quote:

Hello Bill, old chap...........I will guess your location to be close to Mumbai? (profile :))

Your answer is that other files execute? like .com, .bat, .reg, and so on?

That is where your vulnerabilities lie?

;)

Well Dear You guessed right Im from India but your guessed location is very far from me.......
Just Guess more for my location :)
OK These executables (like .com, .bat, .reg, and so on) work but how .hqx (well i got this in e-mail attachment) work????
August 15th, 2006, 04:12 PM
Mystery Man

Just a quick google !

http://www.fileinfo.net/extension/hqx

File Type
BinHex 4.0 Encoded File

File Description
Macintosh file compressed and encoded into 7-bit text; helps maintain file integrity for downloads by combining the data fork and resource fork into a single archive

Are you on Mac ?
August 15th, 2006, 04:22 PM
MrLinus

You don't need to be on a Mac to open a HQX file. WinZip opens those up.
August 15th, 2006, 05:12 PM
treanglin

The way I understand things....

Any file that can be opened, whether it's via another application (i.e. a picture file, an audio file, an office document file) or a plain old executable file has the potential to infect your computer.

I don't think I'm technically versed enough to explain how and why files other than exe etc. files can infect your computer but I'll take a stab at it.

(Inhales)

Never mind.

What I do know however is that "specially crafted" files can exploit an unthought-of of way that a program interoperates them to be able to do things via the program than can end up leading your computer being infected.

^
| That sounds really messy to me, but I hope you understand it, or that someone can clear it up for you.

One of my favorite examples of this is the JPEG exploit that came out in '04:

http://www.microsoft.com/technet/sec.../MS04-028.mspx

There are countless other examples of this but that's just my favorite.

Oh yeah, and read up on Buffer Overflows...It's heavy stuff, so be ready dude. If you understand that stuff, your question will be answered for sure.
August 15th, 2006, 05:54 PM
Owl101

Trealin, you're right for the most part, that being the part about files being crafted specifically to make use of a vulnerability.

Another prime example is the WMF exploit (my favorite) for Windows Meta Files which is a lot like the JPEG expoit :)

There are a lot of files that can be executed as soon as they are opened, but these are usually dictacted by what registered file types you have in your registry and if those file types make use of an application to open them or if they use the kernel to open them.

For example, lets say that someone emails you a .bat file, which by default is executed by the kernel or by cmd.exe, and you had to open it it would execute immediately whereas if you configured the registered file type dealing with .bat files to use notepad to open it then it would be totally harmless and open in notepad to display it's contents.

Which is much the same if you had to save the file to disk and then manually open it with notepad.

rock_bill, as for your original question, as I have said above, it all depends on what registered file types you have and what applications they are configured to use to open/execute the file.

I do not recommend messing around in the registry unless you have done a little research on what you want to change, but if you would like to see what your registered file types are and what they do you can get a complete list in the HKEY_CLASSES_ROOT section of your registry.

The format is first to list the .filename and then to reference to it's type, ie. .exe has a default value of 'exefile' which is then referenced further down under the 'exefile' key which defines it's handling.

Similarly for .bat files, if you look under the 'batfile' key you will see a subkey called 'open' which defines the parameters for opening the file, as you can see it does not reference any application, but merely ""%1" %*" which basically uses the kernel to open the file (the "%1" bit) with additional options (the %* bit).

If you wanted to change it so that batch files would be opened in notpad instead of runnign the app then you would need to change it to something like what you will find in the 'edit' key, but this will of course prevent any batch file from being run as any attempt to run a .bat file woul just open it in notepad. A bit of a catch 22 :D hehehehe

Anyway, I know this is plenty of arbitrary info, but you might find it useful or appreciate a bit of background info on the matter of what can be run and how it is run on a windows system.

And in case anyone is wondering, there have been a fair couple of viruses that make use of this and replace themselves as the default application for opening various known file types, they're just anoying and way outdated :)
August 15th, 2006, 07:05 PM
nihil

Hey, Bill old chap...............

Please excuse my ignorance of Indian geography and the related linguistics
:)

I will now close in on you my friend?

Madhya Pradesh?

Closer? :D

Please remember that I cannot hear you speak...........I can only guess from idyoms?
August 16th, 2006, 04:47 AM
rock_bill

Quote:

Hey, Bill old chap...............

Please excuse my ignorance of Indian geography and the related linguistics
:)

I will now close in on you my friend?

Madhya Pradesh?

Closer? :D

Please remember that I cannot hear you speak...........I can only guess from idyoms?

You are now near to me.......

Some more guess might bring you to my location.....
August 16th, 2006, 05:21 AM
rock_bill

Quote:

Are you on Mac ?

I am not on Mac but using Windows XP, I have got attachment in my mail.
August 16th, 2006, 06:40 AM
Mystery Man

Were there some other files with the attachment?

Okay winzip opens this file but was it originally compressed, i mean did you recieved it in a .zip or .rar file which you opened under xp?

The chance of another file with the attachment can be that it can change the extension of the file while execution or change its attributes and unleash the monster within. The change of extension can make it .exe or similar using other file that came with it.

Did you clicked the file to open it ? Did it open with winzip ? What were the contents ?

Please elaborate !
August 16th, 2006, 09:10 AM
jockey0109

NOw after going through this discussion, I am telling you what I think the prodedure might be for infection from those files...this is just a guess...I am not ver ysure but I think that this is the closes I can get to the rpocess...Here I go:

When a person double clicks the file with an extension which is unknown just like HQX in most cases, windows tries to first see if it is a rgistered file type. If it is not then it will start the service wihch asks the user to tell which program to be used for opening that file, during that very moment, the file is read to gain more information like g=signature of file and the meta info. In most cases, such files ( which often come in various extensions and are reported as X-application by norton) have some thing in their beginnign which tells the program which ask for the slection of software to open that file to execute an instruction from within the file. This is where they get executred and infect the computer.

I Think that is the only way Windows would get infected by those files.

Please tell me if I am right or wrong.

Thanks...