[Esa-l] Re: Latest wave of worms using hidden file-extensions (fwd)

John D. Hardin jhardin at wolfenet.com
Mon May 29 14:43:21 PDT 2000


Please add "shb" to your MANGLE_EXTENSIONS list.

The default MANGLE_EXTENSIONS list is now:

 MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|
                    do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|
                    p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|
                    jse?|md[be]|ms[ip]|reg'

(wrapped for clarity - must be all one line in actual use)

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   153 days until Daylight Savings Time ends

---------- Forwarded message ----------
Date: Sat, 27 May 2000 09:21:08 -0700
From: pchelp <pchelp at NWI.NET>
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: Re: Latest wave of worms using hidden file-extensions

Wayne correctly refers to .SHS files as one of the hidden and
potentially hazardous file types.  I consider the .SHS type (scrap
object) to be worthy of specific mention, at least as hazardous as
.PIF and perhaps more so.

It's not well known that another "scrap" file type .SHB works in
exactly the same manner as the .SHS type.  Any .SHS file can be
renamed to carry this extension with no change in behavior.

The NeverShowExt value also affects these scrap object files.

On the 10th of May, I posted a detailed page that explains the
mechanisms and hazards of scrap files, and provides a some easy (and
safe) demonstrations.  I invite one and all to:

http://www.pc-help.org/security/scrap.htm

pchelp

--
http://www.pc-help.org
http://www.nwi.net/~pchelp/
Trace that spam with the Network Tracer!  http://pc-help.org/trace.htm





More information about the esd-l mailing list