New Malware Attack Is A Reminder To Not Hide File Extensions

A malware attack spread by email this week acts as a reminder of why it is still important to not hide extensions for known file types. Sophos report how a malicious email, supposedly from Microsoft, is making its way around the net.

The text of the email is genuine and replicates an official Microsoft message in August detailing changes to the Microsoft Services Agreement. However, this email contains an attached file called Microsoft-Services-Agreement.pdf.exe which is a nasty backdoor Trojan.

An extension is a set of characters at the end of a file name that determine which program should open it. The genuine extension is always the last extension – so it’s easy to see that the above attachment is a .exe file – an executable (program) not a harmless PDF document.

However, in Windows, extensions for known file types such as .exe are hidden by default. The above email attachment would appear as Microsoft-Services-Agreement.pdf so a user would think it is a harmless PDF – all because Windows is hiding the real .exe extension. Thanks Microsoft…

It is important to unhide file extensions so you can see the full filename and therefore spot such suspicious ‘double’ extensions. The method to unhide them is slightly different depending on your version of Windows:

Windows 7 and Vista

  • Open any folder
  • Click ‘Organize’
  • Click Folder and Search options then click the View tab
  • Scroll down to ‘Hide extensions for known file types’ and untick the checkbox – click ‘Yes’ to accept the warning message if it appears
  • Click OK to finish

[to hide file extensions, follow the same process but tick the checkbox]

Windows XP

  • Open My Computer
  • Click Tools then click Folder Options
  • Click the View tab
  • Scroll down to ‘Hide extensions for known file types’ and untick the checkbox
  • Click OK to finish

[to hide file extensions, follow the same process but tick the checkbox]

folder options
Showing file extensions

Now that extensions are visible, don’t change or delete one by mistake when editing a file or it may no longer open.

Does This Unhide ALL File Extensions?

No, but it does unhide the most common executable program files like .exe so is well worth doing for better security.

Unfortunately, there are a bunch of special executable extensions that will remain hidden even after making this change. These exceptions include .pif .scf .lnk .shs – there are around 20 in total and they pose a similar risk.

Even after unhiding known extensions, Windows will display a virus called song.mp3.pif as song.mp3 [It is possible to see the real .pif file extension in a DOS window but that isn’t going to help if viewing an email etc]

You can unhide these extensions too but it requires editing the registry which can make the desktop and start menu look really messy e.g. shortcuts in the Start Menu will have a .lnk extension showing at the end…

Advanced users who know how to backup the registry first (and don’t mind the ugly appearance) can follow the EmbeddedSysTesting guide to delete all instances of the NeverShowExt key.

Conclusion

Microsoft have always tried to make Windows appeal to less experienced users – hiding file extensions is part of that dumbing down process but it does pose a security risk.

Showing known extensions is easy and an obvious security benefit.

The security advantage of displaying special file extensions is perhaps, for many users, outweighed by the inherent risk of changing the registry and the negative impact on UI appearance.