The Digital Rag
Real World Information in a Virtual World
Sign Up!
Welcome to The Digital Rag
Saturday, March 28 2015 @ 08:57 AM PDT

Watch out for misformed or misused file extensions - they can spell trouble

Computers in UseAs many of you likely know, I'm not a Windows guru, I'm a Unix/Linux guru. Since my days at iSTAR as the MIS manager when I ended up with parts of the company using all three major systems, Unix, MAC and Windows, I've been forced to learn more and more about Windows and even use it almost daily due to now having so many of you as customers that also use it.
I've lived through the evolution of Windows from its DOS days and have some insight into how they've done things and why.

One of the ways that Windows differs from Unix is in the way it determines what program to use to open a data file with, or in fact whether a file is a program or a data file.

Unix has a command line program called "file" and an operating system facility that functions in a similar manner as part of the command system. This facility uses knowledge of the format of the first few characters in any standard file to determine what the file is; whether it is a program, data, binary, text, PDF, or any of hundreds (4409 in my current version of Red Hat) of slightly different file types.

Windows on the other hand uses two different methods, the 3 character extension of the file name, and in some files, the actual name of the program that the data should be opened with such as Word, Excel, PowerPoint and some others.

The subject of this particular news item is that there is an exploit now going the rounds that uses the second facility to cause you to run a program that might (will) compromise your computer just by doing what you normally do, double-click on a document and assume it will be opened by the correct program. The exploiter will give you what looks like a standard file but with the name of the program replaced by something else.

This exploit takes advantage of the fact that by default a Windows system is set to not show the file extension portion of the file name. Even if you have (as I always do) used to uncheck the "Hide file extensions for known file types" option, you may be fooled by slight misspellings of the typical extensions to try to open the files as normal anyway. The misspellings might be something like "D0C" instead of "DOC" (center character is a zero, not letter O) or "pppt" instead of "ppt" (extra p)

So... watch out for incoming files that purport to be normal document or data files. If they are stored in the OLE2 file format and have been altered to use a different program to open the file, they can end up running a script that does damage instead of opening a document. Note that this may bypass virus checking that has been installed to check Word, Excel, PowerPoint or other standard documents.

As usual you should also be watching for files that look like they are data but in fact have a second extension, usually in lower case which can fool the eye. Examples are: THIS.DOC.pif THAT.PPT.exe ANOTHER.XLS.bat

In each of the above, the last 3 characters actually determine what your system will use to open the file. Note also that since Windows file names can easily have spaces in them, the actual extension may be farther along the line that shows what the file name is:

ANOTHER FILE NAME OF DUBIOUS LINEAGE.DOC                                          .bat

and of course there is also the facility to obfuscate a file name with really strange characters that follow the extended characterset naming conventions for foreign language (16 bit characters as opposed to the typical ASCII) use. Unless your computer has the extended charactersets installed, you will see some pretty strange things such as: 0xAF 0xB1 0x1B as well as completely unprintable things.

If in doubt (and you should have a very low threshold of doubt) don't open it, check back with whomever sent you the file and have them double check it's correct.


Bruce Schneier's latest CRYPTO-GRAM newsletter has articles on Biometrics (criminals in Malaysia cut off a man's finger to open the biometric lock on his Mercedes) and even one on the "Hacking the Papal Election" - you can see it at

Great reading from one of the people I most respect in the area of personal and corporate security.


Hope this finds your computers working fine and you getting the best use out of them.

You can also read this at along with other information and opinions on a variety of topics.



Trackback URL for this entry:

No trackback comments for this entry.


Older Stories

Monday 28-Nov

Friday 07-Oct

Tuesday 04-Oct

Thursday 15-Sep

Saturday 10-Sep

Tuesday 30-Aug

Saturday 20-Aug

Thursday 18-Aug

Sunday 14-Aug


Ads by Clickochet

G+ Public Posts

There was a problem reading this feed (see error.log for details).



Facebook Page

RSS Feed

Richard's Digital Rag


How do you like to find out news about the internet and computers?

  •  Newspaper
  •  Radio
  •  TV
  •  Web Search
  •  Favourite Web Site(s)
  •  Pod Cast
  •  Video Online
  •  Email List(s)
  •  RSS - Syndication
  •  Word of mouth
This poll has 0 more questions.
Other polls | 553 votes | 6 comments