File Extensions

One of the most asked questions lately is “What extensions should I scan and/or watch for in E-mail attachments?” While a valid question, some caveats must be attached to the answer.

First, it’s important to note that over time Microsoft (and others) appear to be working toward making file extensions as the sole indicator of file content and creator unnecessary. This already exists on the Macintosh where the file creator information is in the file itself so the file name and extension is no indicator at all of the type of file.

Such behavior is starting to appear under Windows as well. Microsoft Word, for example, will actually examine a file it’s asked to open and, despite the name ending in .DOC, if the file is a template file will open the file as a template (.DOT) file instead. Some Word macro viruses take advantage of this characteristic and save infected files in template format with a .DOC extension.

Another variant of this behavior on Windows computers would be the Scrap Object file which actually can contain most anything from simple text to complex programs. When opened, the operating system determines what the content is and acts accordingly.

Finally, there is the issue of double extensions. To make your viewing easier, Windows offers the option of turning off the viewing of file extensions. If you do that, however, you can easily be fooled by files with double extensions. Most everyone has been conditioned, for example, that the extension .TXT is safe as it indicates a pure text file. But, with extensions turned off if someone sends you a file named BAD.TXT.VBS you will only see BAD.TXT. If you’ve forgotten that extensions are actually turned off you might think this is a text file and open it. Instead, this is really an executable VisualBasic Script file and could do serious damage. For now you should always have viewing extensions turned on. Here’s how…

In Windows 98 double click to open “My Computer” and then select “View”|”Folder Options”. Select the “View” tab and then scroll down to the entry that says “Hide file extensions for known file types” and make certain it’s not checked. Click OK and then close the My Computer window. With this move you will now see extensions in file directory windows and the option will be picked up by other Microsoft programs like Outlook.

Extensions
So, with the thought in mind that file extensions are likely being phased out over time and can be spoofed, here are some to watch out for (“?” represents any character):

.386 Windows Enhanced Mode Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.ADE Microsoft Access Project Extension. Use of macros makes this vulnerable.
.ADP Microsoft Access Project. Use of macros makes this vulnerable.
.ADT Abstract Data Type. According to Symantec these are database-related program files.
.APP Application File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs.
.ASP Active Server Page. Combination program and HTML code.
.BAS Microsoft Visual Basic Class Module. These are programs.
.BAT Batch File. These are text files that contain system commands. There have been a few batch file viruses but they are not common.
.BIN Binary File. Can be used for a variety of tasks and usually associated with a program. Like an overlay file it’s possible to infect .BIN files but not usually likely.
.BTM 4DOS Batch To Memory Batch File. Batch file that could be infected.
.CBT Computer Based Training. It’s never been made clear why or how these can become infected but Symantec includes them in their default listing.
.CHM Compiled HTML Help File. Use of scripting makes these vulnerable.
.CLA
.CLASS Java Class File. Java applets are supposed to be run in a “sandbox” and thus be isolated from the system. However, users can be tricked into running an applet in a mode that the sandbox considers “secure” so Class files should be scanned.
.CMD Windows NT Command Script. A batch file for NT.
.COM Command (Executable File). Any executable file can be infected in a variety of ways.
.CPL Control Panel Extension. Similar to a device driver which is executable code and, as such, can be infected and should be scanned.
.CRT Security Certificate. Can have code associated with it.
.CSC Corel Script File. A type of script file that is executable. Any executable should be scanned.
.CSS Hypertext Cascading Style Sheet. Style sheets can contain code.
.DLL Dynamic Link Library. Can be used for a variety of tasks associated with a program. DLLs typically add functions to programs. Some contain executable code; others simply contain functions or data but you can’t tell by looking so all DLLs should be scanned.
.DOC MS Word Document. Word documents can contain macros that are powerful enough to be used for viruses and worms.
.DOT MS Word Document Template. Word templates can contain macros that are powerful enough to be used for viruses and worms.
.DRV Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.EML or
.EMAIL MS Outlook Express E-mail. E-mail messages can contain HTML and scripts. Many viruses and worms use this vector.
.EXE Executable File. Any executable file can be infected in a variety of ways.
.FON Font. Believe it or not, a font file can have executable code in it and therefore can be infected.
.HLP Help File. Help files can contain macros. They are not a common vector but have housed a Trojan or two.
.HTA HTML Program. Can contain scripts.
.HTM
.HTML Hypertext Markeup Language. HTML files can contain scripts which are more and more becoming vectors.
.INF Setup Information. Setup scripts can be changed to do unexpected things.
.INI Initialization File. Contains program options.
.INS Internet Naming Service. Can be changed to point unexpected places.
.ISP Internet Communication Settings. Can be changed to point unexpected things.
.JS
.JSE JavaScript. As script files become vectors more often it’s best to scan them. (.JSE is encoded. Also keep in mind that these can have other, random, extensions!)
.LIB Library. In theory, these files could be infected but to date no LIB-file virus has been identified.
.LNK Link. Can be changed to point to unexpected places.
.MDB MS Access Database or MS Access Application. Access files can contain macros that are powerful enough to be used for viruses and worms.
.MDE Microsoft Access MDE database. Macros and scripts make this vulnerable.
.MHT
.MHTM
.MHTML MHTML Document. This is an archived Web page. As such it can contain scripts which can be infected.
.MP3 MP3 Program. While actual music files cannot be infected, files with .mp3 extensions can contain macro code that the Windows or RealNetwork media players will interpret and run. So, .mp3 files have expanded beyond pure music.
.MSO Math Script Object. According to Symantec these are database-related program files.
.MSC Microsoft Common Console Document. Can be changed to point to unexpected places.
.MSI Microsoft Windows Installer Package. Contains code.
.MSP Microsoft Windows Installer Patch. Contains code.
.MST Microsoft Visual Test Source Files. Source can be changed.
.OBJ Relocatable Object Code. Files associated with programs.
.OCX Object Linking and Embedding (OLE) Control Extension. A program that can be downloaded from a Web page.
.OV? Program File Overlay. Can be used for a variety of tasks associated with a program. Overlays typically add functions to programs. It’s possible to infect overlay files but not usually likely.
.PCD Photo CD MS Compiled Script. Scripts are vulnerable.
.PGM Program File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs.
.PIF MS-DOS Shortcut. If changed can run unexpected programs.
.PPT MS PowerPoint Presentation. PowerPoint presentations can contain macros that are powerful enough to be used for viruses and worms.
.PRC Palmpilot Resource File. A PDA program (yes, there are rare PDA viruses).
.REG Registry Entries. If run these change the registry.
.RTF Rich Text Format. A format for transmitting formatted text usually assumed to be safe. Binary (and infected) objects can be embedded within RTF files, however, so, to be safe, they should be scanned. RTF files can also be DOC files renamed and Word will open them as DOC files.
.SCR Screen Saver or Script. Screen savers and scripts are both executable code. As such either may contain a virus or be used to house a worm or Trojan.
.SCT Windows Script Component. Scripts can be infected.
.SHB
.SHS Shell Scrap Object File. A scrap file can contain just about anything from a simple text file to a powerful executable program. They should generally be avoided if one is sent to you but are routinely used by the operating system on any single system.
.SMM Ami Pro Macro. Rare, but can be infected.
Source Source Code. These are program files that could be infected by a source code virus (these are rare). Unless you are a programmer these likely won’t be a concern. Extensions include, but are not limited to: .ASM, .C, .CPP, .PAS, .BAS, .FOR.
.SYS System Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.URL Internet Shortcut. Can send you to any unexpected Web location.
.VB
.VBE VBScript File. Scripts can be infected. (.VBE is encoded.)
.VBS Visual Basic Script. A script file may contain a virus or be used to house a worm or Trojan.
.VXD Virtual Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
.WSC Windows Script Component. Scripts can be infected.
.WSF Windows Script File. Scripts can be infected.
.WSH Windows Script Host Settings File. Settings can be changed to do unexpected things.
.XL? MS Excel File. Excel worksheets can contain macros that are powerful enough to be used for viruses and worms.

The above listing has been derived from the default extension lists of various anti-virus programs and from discussions in virus-related newsgroups. It should not be taken as an absolute however. Some viruses/worms have been spread in files with no extension and, as noted, an extension does not necessarily guarantee a particular file type. The meaning for extensions not listed here might be found at http://filext.com/.

The safe option is to allow anti-virus software to scan all files.

Summary
While extensions are often touted as being accurate indicators of files that can be infected, history shows they are not. Additionally, they can be spoofed in a variety of ways.
The safe option is to allow anti-virus software to scan all files.

Leave a Reply

You must Register or Login to comment on File Extensions