Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: shstroj.txt

The possibility of hiding trojans in Shell Scraps - files with extensions that Windowz tries very hard to hide HAK




From indieboy@optusnet.com.au Fri Jan 25 10:52:50 2002
Newsgroups: alt.2600
Subject: Don't be a victim - pr0n CAN be dangerous :-(
From: indieboy@optusnet.com.au (Darren)
Date: Fri, 25 Jan 2002 18:52:50 GMT



Hello everyone,

Well it finally happened.

My computer became the victim of a trojan, and I must say, I was quite
surprised at how it happened (but not that it happened).

This is my story.

Only the names have been changed to protect the innocent. ;-)

Yesterday, I was hard at work downloading some, ahem, religious
pictures (of course), you know the type, of Jesus, Mary, the Good Lord
etc etc.

Anyway, one of these pr0n pics, I mean religious pics, was named
35.jpg.shs.

For those of you, like me, who don't/didn't know what an .shs or .shb
file is, it is a 'scrap object file', which is basically an OLE file
that can contain any code, including malicious code.

Windows by default, hides the extension of .shs and .shb files
(another thing I would like to kick Bill Gates arse for now), which
means that a file named "35.jpg.shs" will appear as "35.jpg", even if
you have "Hide known filetypes" turned off under explorer.

Two registry keys that can be deleted to stop this from happening (ie
making the .shs and .shb extensions appear are:

HKEY_CLASSES_ROOT\shellscrap\nevershowext
HKLM\software\classes\shellscrap\nevershowext

In my case, when I was looking through the directory under explorer,
the actual .jpg file showed up with a different icon compared to the
other jpgs, which is how I sussed that something was up.

I was interested in what the file actually was, so I used wordpad to
open the file up, and then I found some interesting plain text inside,
which happened to be the names of a whole bunch of anti-virus and
security/firewall products.

Some of the names listed were:

ZONEALARM.EXE
MINILOG.EXE
BLACKICE.EXE
NPROTECT.EXE
NAVPW32.EXE

etc etc.

But there were plenty more as well.

The interesting thing is that I do use anti-virus software, and it
didn't pick up the scrap object, nor the malicious code it executed.

After running my anti-virus software a couple of times and scanning my
systems directory, it finally picked up a trojan (TROJ_OPTIX04.C), but
then the anti-virus software (Trend Micro's PC-cillin - not very good
if you ask me, but free with some other software), would pop up with
error messages while scanning some of the files (mainly .inf files).
The error message was "Closing Real-time Scan & PC-cillin".  You could
click OK, but the error message would continually pop up after this.

Anyway, I've reinstalled the OS as a precaution and changed passwords
etc, but I thought this was quite interesting.

Thinking back on it, I think I read something about scrap objects a
long, long time ago, but this caught me by surprise.  I haven't heard
of them recently, and certainly wasn't expecting them to be this bad.

BTW, it seems that programs might not be able to see the .shs and .shb
file extension either, as Free Agent normally pops up a warning
message when opening exe/com files etc.

But this also raises a few interesting pointers.

Firstly, the different icon was a dead giveaway that something was up,
but if the scrap objects icon had been changed to something else
through a registry setting, then I wouldn't have been any the wiser.

The fact that any code could be executed here is of further interest
(and obviously with the same user rights as anyone who executed the
code, ie administrator).  If the scrap object shelled out to the
original program, then the admin would/could be none the wiser.

Certainly this isn't anything new, but it caught me completely by
surprise (and I'm usually aware of what's happening in the
virus/trojan world).

Cheers (and I hope you haven't fallen asleep) ;-) ,
Darren





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH