Executable types and Malware

I have basically two Qs in mind.

1- Is there a complete list of executables of windows available?( Anti-Executable claims to protect against more than 80 types of executables).

2- What type of executables are mostly used by malware? .exe is commonest of course, what after that?

Thanks

 

Hi aigle,

I don't think anyone's going to forward an "absolute" list per say. As I understand it executable code can be hidden, then triggered any number of way's with any sort of instruction, for purposes good or bad. It's fair to say as program's are added, so too are extension's that can be executed.

This might make more sense - http://msdn.microsoft.com/msdnmag/issues/03/05/VirusHunting/

Googling (Scroogling) around for *executable file extension's* will yield several site's with additional information. Though he hasn't been here in some time, I would love to hear one of Alec's well spoken explanation's, delivered in nothing short of pure layman's term's (which I myself would favor).


Steve

 

Again, my favorite "GUI"... DOS or "Command Prompt"!

The "assoc" program will tell you what file extension is associated with what program. It just takes a little bit of registry hunting.

For example, ".exe=exefile", says, a file with the .exe extension, will use/run whatever is associated with "exefile". So, fire up 'regedit.exe' and look in the HKEY_CLASSES_ROOT key and scroll down to 'exefile'. You will see under "shell > open > command" = "%1" %*. That just says to execute the first parameter (in this case, the program name) and pass all the remaining parameters to the program.

Another example, ".WSF=WSFFile". That says %SystemRoot%\System32\WScript.exe "%1" %*

So, each PC has a different list.

Something else to be paranoid about... if you install a music player program, how do you know EXACTLY what file associations have been added/deleted/changed? I know, do you?

Mike

Code:

C:\TEMP>assoc
.323=h323file
.386=vxdfile
.669=Winamp.File
.7z=7-Zip.7z
.AAC=Winamp.File
.aca=Agent.Character.2
.acf=Agent.Character.2
.acl=ACLFile
.acs=Agent.Character2.2
.acw=acwfile
.ai=
.aif=AIFFFile
.aifc=AIFFFile
.aiff=AIFFFile
.amf=Winamp.File
.ani=anifile
.api=AcroExch.Plugin
.APL=Winamp.File
.aps=
.arj=7-Zip.arj
.asa=aspfile
.ascx=
.asf=Winamp.File
.asm=
.asmx=
.asp=aspfile
.aspx=
.asx=Winamp.PlayList
.au=AUFile
.AudioCD=
.avi=avifile
.aw=AWFile
.B4S=Winamp.PlayList
.bat=batfile
.bcf=Belarc.Content.Filter
.bci=Belarc.Computer.Inventory
.bfc=Briefcase
.bin=
.bkf=msbackupfile
.blg=PerfFile
.bmp=PaintShopProPhotoXI.Image
.bsc=
.bz2=7-Zip.bz2
.c=
.cab=CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}
.cat=CATFile
.cda=Winamp.File
.cdc=NeroCDCoverType
.cdf=ChannelFile
.cdx=aspfile
.cer=CERFile
.cgm=
.chk=chkfile
.chm=chm.file
.clp=clpfile
.cmd=cmdfile
.cnf=ConferenceLink
.com=comfile
.cpio=7-Zip.cpio
.cpl=cplfile
.cpp=
.crl=CRLFile
.crt=CERFile
.css=CSSfile
.csv=Excel.CSV
.CTT=MessengerContactList
.cur=curfile
.cxx=
.dat=
.db=dbfile
.dbg=
.dcs=dcsfile
.dct=
.deb=7-Zip.deb
.def=
.der=CERFile
.DeskLink=CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}
.dib=Paint.Picture
.dic=txtfile
.dif=Excel.DIF
.diz=
.dll=dllfile
.dl_=
.dmt=DeLorme Transfer File
.doc=Word.Document.8
.dochtml=wordhtmlfile
.docm=Word.DocumentMacroEnabled.12
.docmhtml=wordmhtmlfile
.docx=Word.Document.12
.docxml=wordxmlfile
.dos=
.dot=Word.Template.8
.dothtml=wordhtmltemplate
.dqy=dqyfile
.drv=drvfile
.dsn=MSDASQL
.dun=dunfile
.dvd=
.dvr-ms=WMP.DVR-MSFile
.ecs=ecsfile
.edn=EDNActivation
.elm=ELMFile
.emf=emffile
.eml=emffile
.eps=
.etd=EBXTransfer
.exc=txtfile
.exe=exefile
.exp=
.ex_=
.eyb=
.far=Winamp.File
.fcs=fcsfile
.fdf=AcroExch.FDFDoc
.ffa=FFAFile
.ffl=FFLFile
.fft=FFTFile
.ffx=FFXFile
.fif=
.FLA=Winamp.File
.FLAC=Winamp.File
.fnd=fndfile
.fnt=
.Folder=
.fon=fonfile
.gdb=GarminGpsDatabase
.ghi=
.gho=Ghost
.ghs=GhostSpan
.gif=PaintShopProPhotoXI.Image
.grp=MSProgramGroup
.gz=7-Zip.gz
.h=
.hhc=
.hlp=hlpfile
.hpp=
.hqx=
.ht=htfile
.hta=htafile
.htc=
.htm=FirefoxHTML
.html=FirefoxHTML
.htt=HTTfile
.htw=
.htx=
.hxx=
.icc=icmfile
.icm=icmfile
.ico=IconEdit32.Document
.idb=
.idl=
.idq=
.iii=iiifile
.ilk=
.imc=
.inc=
.inf=inffile
.ini=inifile
.ins=x-internet-signup
.inv=
.inx=
.in_=
.iqy=iqyfile
.iso=7-Zip.iso
.isp=x-internet-signup
.it=Winamp.File
.its=ITS File
.itz=Winamp.File
.ivf=IVFfile
.jar=jarfile
.java=
.jbf=PaintShopProPhotoXI.BrowserCacheFile
.jfif=pjpegfile
.jnlp=JNLPFile
.job=JobObject
.jod=Microsoft.Jet.OLEDB.4.0
.jpe=jpegfile
.jpeg=jpegfile
.jpg=jpegfile
.js=JSFile
.JSE=JSEFile
.kdb=kdbfile
.key=regfile
.klnx=CLSID\{9E56BE60-C50F-11CF-9A2C-FD146FCA}
.latex=
.lex=LEXFile
.lib=
.LiveReg=LiveReg.SessionFile
.LiveSubscribe=LiveReg.UserProfile
.liveupdate=LiveupdateFile
.lnk=lnkfile
.local=
.log=txtfile
.lwv=LWVFile
.lzh=7-Zip.lzh
.m14=
.m1v=mpegfile
.M2V=Winamp.File
.m3u=Winamp.PlayList
.M3U8=Winamp.PlayList
.M4A=Winamp.File
.man=
.manifest=
.MAPIMail=CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
.MAX=
.mbsa=MBSA.Report.Viewer
.mdb=
.mdi=MSPaper.Document
.mdz=Winamp.File
.mgc=MediaCatalogMGC
.mht=mhtmlfile
.mhtml=mhtmlfile
.mid=midfile
.midi=midfile
.mmf=
.mml=MediaCatalogMML
.mmm=MPlayer
.mmw=MediaCatalogMMW
.mod=Winamp.File
.mov=
.movie=
.MP1=Winamp.File
.mp2=Winamp.File
.mp2v=mpegfile
.mp3=Winamp.File
.MP4=Winamp.File
.mpa=mpegfile
.mpe=mpegfile
.mpeg=Winamp.File
.mpf=MediaPackageFile
.mpg=Winamp.File
.mpv2=mpegfile
.msc=MSCFile
.msg=
.msi=Msi.Package
.msp=Msi.Patch
.MsRcIncident=MsRcIncident
.msstyles=msstylesfile
.MSWMM=Windows.Movie.Maker
.mtm=Winamp.File
.mv=
.mydocs=CLSID\{ECF03A32-103D-11d2-854D-006008059367}
.nbi=NBBACKUPType
.ncb=
.ncd=Nero Cover Designer.Document
.nco=NBCOMPRESSType
.ncs=ncsfile
.nct=Nero Cover Designer.Template
.nfo=MSInfo.Document
.nhf=NeroHFSType
.nhv=NeroHDBVideoType
.nji=NBJOBType
.nls=
.nmd=NerominiDVDType
.NMW=T126_Whiteboard
.nr3=NeroMP3Type
.nr4=NeroAACType
.nra=NeroAudioType
.nrb=NeroCDROMBootType
.nrc=NeroUDFISOType
.nrd=NeroDVDVideoType
.nre=NeroCDExtraType
.nrg=NeroImageType
.nrh=NeroCDROMHybridType
.nri=NeroCDROMType
.nrm=NeroMixedModeType
.nrs=NeroCDROMEFIBootType
.nru=NeroUDFType
.nrv=NeroVideoType
.nrw=NeroWMAType
.NSA=Winamp.File
.nsc=
.nsd=NeroSuperVideoType
.nst=Winamp.File
.NSV=Winamp.File
.nvr=
.nws=Microsoft Internet News Message
.obj=
.ocx=ocxfile
.oc_=
.odc=odcfile
.odccubefile=odccubefile
.odcdatabasefile=odcdatabasefile
.odcnewfile=odcnewfile
.odctablefile=odctablefile
.OGG=Winamp.File
.okt=Winamp.File
.opc=OPCFile
.oqy=oqyfile
.otf=otffile
.p10=P10File
.p12=PFXFile
.p7b=SPCFile
.p7c=certificate_wab_auto_file
.p7m=P7MFile
.p7r=SPCFile
.p7s=P7SFile
.p951=CLSID\{9E56BE60-C50F-11CF-9A2C-E97BA5CA}
.pbk=pbkfile
.pcb=PCBFile
.pch=
.pdb=
.pdf=AcroExch.Document
.pds=
.pdx=PDXFileType
.pfm=pfmfile
.pfx=PFXFile
.php3=
.pic=
.pif=piffile
.pip=PIPFile
.pko=PKOFile
.pl=
.plg=
.pls=Winamp.PlayList
.pma=PerfFile
.pmc=PerfFile
.pml=PerfFile
.pmr=PerfFile
.pmw=PerfFile
.pnf=pnffile
.png=PaintShopProPhotoXI.Image
.pot=PowerPoint.Template.8
.pothtml=powerpointhtmltemplate
.potm=PowerPoint.TemplateMacroEnabled.12
.potx=PowerPoint.Template.12
.ppa=PowerPoint.Addin.8
.pps=PowerPoint.SlideShow.8
.ppsm=PowerPoint.SlideShowMacroEnabled.12
.ppsx=PowerPoint.SlideShow.12
.ppt=PowerPoint.Show.8
.ppthtml=powerpointhtmlfile
.pptm=PowerPoint.ShowMacroEnabled.12
.pptmhtml=powerpointmhtmlfile
.pptx=PowerPoint.Show.12
.prf=prffile
.ps=
.psd=
.Psp=
.PspAutosave=PaintShopProPhotoXI.AutosaveFile
.PspBrush=PaintShopProPhotoXI.Brush
.PspBumpMap=PaintShopProPhotoXI.BumpMap
.PspCache=PaintShopProPhotoXI.Cache
.PspCMYKProfile=PaintShopProPhotoXI.CMYKProfile
.PspDeformationMap=PaintShopProPhotoXI.DeformationMap
.PspEnvironmentMap=PaintShopProPhotoXI.EnvironmentMap
.PspFrame=PaintShopProPhotoXI.Frame
.PspGradient=PaintShopProPhotoXI.Gradient
.PspImage=PaintShopProPhotoXI.Image
.PspMask=PaintShopProPhotoXI.Mask
.PspPalette=PaintShopProPhotoXI.Palette
.PspScript=PaintShopProPhotoXI.Script
.PspSelection=PaintShopProPhotoXI.Selection
.PspShape=PaintShopProPhotoXI.Shape
.PspStyledLine=PaintShopProPhotoXI.StyledLine
.PspTube=PaintShopProPhotoXI.PictureTube
.PspWorkspace=PaintShopProPhotoXI.WorkspaceFile
.psw=PSWFile
.ptm=Winamp.File
.pwz=PowerPoint.Wizard.8
.qds=SavedDsQuery
.rar=7-Zip.rar
.rat=ratfile
.rc=
.RDP=RDP.File
.reg=regfile
.res=
.rle=
.rmf=AcroExch.RMFFile
.rmi=midfile
.rnk=rnkfile
.rpc=
.rpm=7-Zip.rpm
.rqy=rqyfile
.rsp=
.rtf=Word.RTF.8
.s3m=Winamp.File
.s3z=Winamp.File
.sam=
.saz=Fiddler.ArchiveZip
.sbr=
.sbw=SBWizard.Document
.sc2=
.scf=SHCmdFile
.scp=txtfile
.scr=scrfile
.sct=scriptletfile
.sdb=appfixfile
.secstore=AcroExch.SecStore
.sed=
.shb=DocShortcut
.shs=ShellScrap
.shtml=FirefoxHTML
.shw=
.sit=
.skype=Skype.Content
.slk=Excel.SLK
.sna=Snapshot-File
.snd=AUFile
.spc=SPCFile
.spl=ShockwaveFlash.ShockwaveFlash
.sql=
.sr_=
.sst=CertificateStoreFile
.stf=STFFile
.stl=STLFile
.stm=Winamp.File
.stz=Winamp.File
.swf=ShockwaveFlash.ShockwaveFlash
.sym=
.sys=sysfile
.sy_=
.t101=CLSID\{9E56BE60-C50F-11CF-9A2C-FD146FCA}
.tar=7-Zip.tar
.tcs=tcsfile
.text=
.theme=themefile
.tif=MSPaper.Document
.tiff=MSPaper.Document
.tlb=
.tpx=Topo USA 5.0 Project File
.tsp=
.tsv=
.ttc=ttcfile
.ttf=ttffile
.Tub=
.tvp=nView.Profile
.txt=txtfile
.UDL=MSDASC
.uls=ulsfile
.ult=Winamp.File
.url=InternetShortcut
.UserProfile=LiveReg.UserProfile
.uxdc=UXDCFILE
.VBE=VBEFile
.vbs=VBSFile
.vbx=
.vcf=vcard_wab_auto_file
.VcPref=LiveAdvisor.PreferencesFile
.VLB=Winamp.File
.vxd=vxdfile
.wab=wab_auto_file
.wal=Winamp.SkinZip
.wav=soundrec
.wax=WAXFile
.wb2=
.wbk=Word.Backup.8
.wcs=wcsfile
.webpnp=webpnpFile
.whs=WHSFile
.WHT=Whiteboard
.whx=WHXFile
.WinMerge=WinMerge.Project.File
.wiz=Word.Wizard.8
.wk4=
.wll=Word.Addin.8
.wlt=
.wm=ASFFile
.wma=WMAFile
.wmd=WMDFile
.wmdb=WMP.WMDBFile
.wmf=wmffile
.wmp=
.wms=WMSFile
.wmv=Winamp.File
.wmx=ASXFile
.wmz=WMZFile
.wpd=
.wpg=
.wpl=Winamp.PlayList
.wri=wrifile
.wsc=scriptletfile
.WSF=WSFFile
.WSH=WSHFile
.wsz=Winamp.SkinZip
.wtx=txtfile
.wvx=WVXFile
.x=
.xbm=
.xdp=AcroExch.XDPDoc
.xevgenxml=XEV.GenericApp
.xfdf=AcroExch.XFDFDoc
.xht=FirefoxHTML
.xhtml=FirefoxHTML
.xix=
.xla=Excel.Addin
.xlam=Excel.Addin
.xlb=Excel.Sheet.8
.xlc=Excel.Chart.8
.xld=Excel.Dialog
.xlk=Excel.Backup
.xll=Excel.XLL
.xlm=Excel.Macrosheet
.xls=Excel.Sheet.8
.xlsb=Excel.SheetBinaryMacroEnabled.12
.xlshtml=Excelhtmlfile
.xlsm=Excel.SheetMacroEnabled.12
.xlsmhtml=excelmhtmlfile
.xlsx=Excel.Sheet.12
.xlt=Excel.Template
.xlthtml=Excelhtmltemplate
.xltm=Excel.Template
.xltx=Excel.Template
.xlv=Excel.VBAModule
.xlw=Excel.Workspace
.xlxml=Excelxmlss
.xm=Winamp.File
.xml=xmlfile
.xmz=Winamp.File
.xsl=xslfile
.z=7-Zip.z
.z96=
.zap=zapfile
.ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
.zip=CompressedFolder

 

It seems a long list.

 

This presents a big problem, for it used to be easy to watch for excecutables trying to sneak in.

This makes the user's job easier, for AE denies by default any attempt to surreptitiously download|install an executable.

Some recent examples of catching executable code hidden in supposedly non-executable file types:

.gif


.css


.rtf

___________________________________________________

Another surreptitious means of executing a file relies on the fact that a program can read
the file header information, regardless of the file extension. Microsoft Word is a good example.

If I rename Visioneer.doc to Visioneer.tmp, windows should see the .tmp file extension and pass the command
to the Unknown|OpenAs Key in the Registry which will bring up the "Open With" dialog box when you d-click on the file.

But because of the file header information, Windows calls MSWord to happily run (open) the file.
The File Properties reveal that it is a Word Document:


____________________________________________________

In years past this was a sneaky way of embedding a macro virus, and evidently many people
clicked on this type of file in an email attachment.

Since it is easy to disguise a Word document as almost anything, it's just wise to realize that a file
may be something different from what it appears to be.

From a write-up about a MSWord exploit:

http://www.eweek.com/article2/0,1895,2072969,00.asp

This may also apply to other programs.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hi Rmus, AE was the only software that was able to detect the spoofed .gif file( in first snapshot).
I wonder does AE allows u to download beningn .gif images?

 

Is there a tool (more sofisticated that File Properties) that say what content a file has, regardless of its extension?

 

Sorry I was late getting to your PM. Yes, the .gif file downloaded|cached and displayed in the browser as a screenshot of a desktop.


-rich

 

Hello,
lucas & for those wondering, the best way to check a file real type is to view it in a Linux system.
Mrk

 

Hello Mrk,
Do you mean executing it in a Linux environment? I already do that, but I wonder if there's a handy Windows tool which gives lots of info about a file.

 

Did u tried to save it on PC? I wanted to check that.

 

I am guessing Mrk is talking about the 'file' Linux command. For example...

The 'file' command is looking at the first few bytes of my Word doc file, it then looks in another file called 'magic' to display what it knows about the file. It told us OldBaldMikey.doc is a 'Microsoft Office Document'.

The 'magic' file on my SuSe Linux PC is 11589 lines long!

If you open CMD.EXE in your favorite TEXT editor, you will see the first two characters are MZ... most Windows programs (.exe) start with MZ. (FYI: MZ is the initial of Mark Zbikowski, one of the developers of MS-DOS.)

If I rename CMD.EXE to CMD.TXT, the Linux 'file' command will still display it as an M$ exe program.

Linux does not really use file extensions, it looks in the magic file to figure what the file is.

Mike

 

Thanks flinchlock
However, I've read that not all files have the MZ header at the beginning. So, it's a matter of looking for the MZ string.
BTW, FileAlyzer is close to the "handy tool" which I was looking for.
This thread is highly valuable

 

Hello,
I meant even something much simpler for non-CLI people. Any file explorer in Linux will dsplay information about files, including their real type. But many more cool things are possible.
Mrk

 

You're correct Mrkvonic
So simple. I wonder why there's not anything like this for Windows.
I have to play more with Linux.

 

Hello,

It certainly goes to the DOS architecture and 8-bit address shortages that MS people did not know how to deal with.

Think about it. Solaris had their 64-bit servers already in 1992. Even today, Microsoft struggle with 64-bit... It's been 15 years since.

Mrk

 

I said most, not all, but a sheet load.

Maybe better wording is "magic string" or "magic bytes".

Yup.

Also, System Information for Windows has a "File Associations" tab that is MUCH better than using regedit.exe to look at all that stuff.

SIW is also on Ultimate Boot CD for Windows.

Mike

 

Thanks guys

 

I just started reading Windows Desktop and Server Hardening by Roger Grimes. He was joking to name this book "Everyone Else's Windows Security Book Sucks". Owning three other books on windows security I tend to agree

On the accompanying website he has published some excellent material. It can be found by clicking on [download code].