3.2 Is a picture worth a thousand worms by Alibaba Is a picture worth a thousand worms? It is possible to combine a Trojan or other hostile code in to a jpeg,or in to a document using an object packager,and/or a file combiner.When clicked, you will load the hidden program into memory and execute the hidden program,and if you are lucky, also see a picture,hopefully a nice one, so at least you get nailed while you are enjoying the view. That is possible because there are types of files where their true nature can be hidden. Even the basic steps everyone should take,by; -going to Explorer,Tools/Folder options/View and un-checking the box for "Hide file extensions for known file types"will not reveal all these files. And these files when double clicked could run as a program,a hostile program. Back in early ninetees MS introduced OLE in to Windows, Object Linking and Embedding. This idea allow people for instance to open Excel while using Word.So you can have a file pasted in to an application,carying within itself all the information about its type and its original location. A file of this type is called "Shell Scrap Object" or sometimes just called "Scrap Object". These type of files uses the extensions SHS and, SHB used as a shortcut to an embedded "object"in to a document. These files would run,get"executed",when they are embedded into another application or but also on their own. The fun starts when say a ".shs" file is renamed to, "nice.txt"although it is really "nice.txt.shs" you will not see the .shs field as it is hidden by Windows.So you can also have a "boobs.jpeg.shs" which will appear to be just as "boobs.jpeg".Nice idea,isn`t it? And with the use of "Object Packager"you can also change the icon to anything you like. These and some other extensions are hidden by the registry,HKEY_CLASSES_ROOT\ShellScrap (neverShowExt).You could edit the registry to change the values, but messing with the registry is not really a good idea, also if you make changes in the registry you could end up seeing many other extensions, which are not necassary,like the shortcuts on your desktop will be shown with the extension "LNK". One way to find out about these type of files is to go,again; -My computer/Tools/Folder Options/File types where you can see all the extensions associated with all the different programs,you have, including scrap object. And you can change the association for these to open say with notepad, so they dont get executed. Another way would be to deleate or to rename "shscrap.dll,in Windows system folder. Again Viruses could hide themselves using .shs extension pretending to be .txt. Of course many AV programs will now catch those. But they are many other extensions,hidden,depending on your OS and the programs you are using,such as at below, where the extensions are not visible. .cnf Speeddial .lnk Shortcut .mad Microsoft Access Module Shortcut .maf Microsoft Access Form Shortcut .mag Microsoft Access Diagram Shortcut .mam Microsoft Access Macro Shortcut .maq Microsoft Access Query Shortcut .mar Microsoft Access Report Shortcut .pif Shortcut to MS-DOS Program .scf Windows Explorer Command .shb Shortcut into a document .shs Scrap object .uls Internet Location Service .url Internet Shortcut .xnk Exchange Shortcut. One little exercise you could do is to rename a text file,say Deny.txt, to many other possible combinations of 3 characters.Then simply double click on it to see how Windows respond. There is always a possibility for someone to exploit one of these above or a new one,one day. ------------------------------------------------------------------------------------------ A further problem is the Windows scipting host.Although it is there to help people writing scripts it has also been exploited by people to run hostile code.This can be used by Web sites you are visiting or opening an E-mail where a lot of hostile code, virus and trojans,are propogated by. The best way ,when surfing Websites is to get your browser to prompt you everytime Java/Active X or any Script tries to run,or try to place a cookie.It can be a pain but it is worth it.After a while you can put some sites you can trust in your "Trusted Zone". Another possibility is to use another browser which is not as vulnerable as IE,like Opera. And with OE,allways un-tick the preview pane so the mail you receive does not get opened straight away.Then you can just right click on the mail, then /properties/details/message source where you can see the contents in plain text, without at all opening the E-mail. You could also un-install the Windows scripting host, (sometimes Windows update ask for it,so it gets re-installed again),to be un-installed once again. Below are some links to some software,which can intercept these Windows scripting files and execution of scrap objects. http://www.analogx.com/contents/download/system/sdefend.htm http://www.jasons-toolbox.com/scriptsentry.asp http://www.finjan.com/surfinguard/ One famous site you should bookmark where you can read about most the exploits of your OS browser/mail client is -http://www.guninski.com/index.html Also using a dedicated image viewer would also help,again, there is a free program Irfanview,from, http://www.irfanview.com/ which you can make it your default image viewer. A major point to remember is most of these nasties you pick by your browser get installed when you reboot.A good housekeeping would be to deleate all TIF (temporary internet files) before shutting down.This will not prevent buffer overflow exploits but would prevent other code to run on re-boot.There is also what is called,mm256.dat and mm2048.dat files.A gift from MS where a lot of data is stored and hidden from the user except to those who know where they are and only under DOS. One program which will show you some of the details of these files,recommended, is The Spider. -http://www.fsm.nl/ward/spiderus.html. You will be surprised to see how much information is stored about your browsing, and without your knowledge. They are many programs which will clear these TIF and the locked files,on re-boot. WindowWasher,Evidence Eliminator,Eraser,Cyberscrub and many others.Some of these will also overwrite all data so it can not be recovered by software or hardware tools. And also overwrite and clean your swap file,where,again a lot of data is not visible but available by other means. This is a link where you can see a comparaison chart of these programs,possibly biased, but still quite usefull, -http://165.121.190.90/page11.html Some of those programs are free and you can also achieve a good clean up by the following method: Make a new file xyz.txt (right click/new text document) and write in it the following, deltree / c:\windows\history\ deltree / c:\windows©ookies\ deltree / c:\windows\tempor~1\ deltree / c:\windows\applog\ deltree / c:\windows®ecent\ deltree / c:\windows\temp\ if you put a Y after the / switch, Dos will just execute the above commands without any prompts,but as above you will be prompted to answer Y or N on each command.It is sometimes necassary not to delete the Temp folder contents after a Windows update or a new installation of a software,as some Temp.files will be needed to complete the installation on re-boot. Then right click on that xyz.txt and rename it to "xyz.bat". Then place it in C:\. Run Regedit, and go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and "new - string value" [name it to:"xyz"], set its value to "c:\xyz.bat". Close and reboot. Now every time you reboot, DOS will (just before Windows locks those files) delete all the data in those folders. Also here is a link for you, Scrub Your Hard Drive Clean! (for FREE!)5 different batch files, which explains this in more details and more options. http://www.langa.com/cleanup_bat.htm ----------------------------------------------------------------------------------------------- Autostart methods,are used by Trojans to finalize their installation in your system. Below are the locations of these. C:\windows\start menu\programs\startup and these registry keys. -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders Win.ini -load=file.exe -run=file.exe System.ini -Shell=Explorer.exe file.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices If you suspect that you have a Trojan,it is a good idea to check these entries,if you see something suspicious,make a note of it and boot to Dos to deleate them. There is one little free utility,RegistryProt a realtime registry monitor, which will alert you whenever a key is added or changed, and then give you the option of accepting the key change, reverting back to the original key setting, or deleting the key. -http://tds.diamondcs.com.au/. ----------------------------------------------------------------------------------------- Beside all the precautions,you should always keep up to date with "Security updates/patches"for your system,and your "AntiVirus","AntiTrojan"software.But all these are usually in response to discovered exploits,not in anticipation of,therefore you should always be on your guard. And also do not install any software without first scanning it with your AntiVirus and AntiTrojan, even it is from a trusted site.There was a recent incident where a well known Soundcard manufacturer`s driver upgrade was contamineted with a virus. Good luck and happy surfing, --------------------------------------------------------------------------------