scumware / spyware

Forum Moderators: open

Message Too Old, No Replies

scumware / spyware

Beware of files that have shs file extensions

nativenewyorker

11:36 pm on Jan 11, 2003 (gmt 0)

I just read Marcia's post about a scumware toolbar that replaced her Google toolbar. It reminded me of a little known Windows based vulnerability. It is possible to hide scumware / spyware (and other malicious executables) with .shs file extensions.

Shs files can contain any type of file similar to zipped or rarred files. Potentially, a user can open up an execuable file without knowing about it. The specific danger of .shs file extensions is that they do not show in Windows Explorer even if advanced options are set to display all file extensions. The file can appear to be safe because file.txt.shs is displayed as file.txt even though it is a .shs file that may contain an executable file.

The default for the Windows setting is buried in the Registry under the HKEY_CLASSES_ROOT key. Delete the value in the .shs folder that says NeverShowExt.

Ted

jdMorgan

1:31 am on Jan 12, 2003 (gmt 0)

Interestingly, I find no such "NeverShowExt" keyname related to .shs files in my registry. Several keys exist for the shell scrap file type, but all are empty. I do find the NeverShowExt keyname in several context handlers and classes, however.

This (my current) machine is WinME. What version(s) of Windoze does this apply to?

Thanks,
Jim

nativenewyorker

1:53 am on Jan 12, 2003 (gmt 0)

Hi Jim,

I run Win2000 and it was present on my machine. I guess this is a change they finally made in the last 2 years with WinME and WinXP. Of note though, is that their service packs never addressed this vulnerability.

Ted

jdMorgan

2:04 am on Jan 12, 2003 (gmt 0)

nny'er,

Thanks - Poking around in the classid's, it looked to me as if WinME has a specific dll to be used to handle shell scraps - maybe they put hooks in that dll to prevent further problems. I hope so, because I was fervently hunting for that keyname under the various .shs keys, and was not happy when I couldn't find it!

I seem to remember (vaguely) some discussion of this shell scrap vulnerability, but can't for my life remember where. I'll post if that synapse reactivates sometime soon.

Moral - Don't let Windoze "hide" anything!

Jim

ann

8:05 am on Jan 13, 2003 (gmt 0)

Hi,

Just went through some heavy duty spyware take over on my brothers machine which I had to clean....after spending fourteen hours and two days working on it manually I went home and surfed for some help!

Found net intergration,com where you can get a continually updated spybot search and distroy, free.

Then came accross spywareinfo,com support forum and there you will find some of the most helpful people on the planet! As well as more software....like HijackThis

I used to rec. lavasoft adaware but not anymore....if you surf around these sites you will see why.

I tried spybot s&d on my computer..I had just done a reformat and restored everything then ran adaware which said I was spyware free...HA!

S&D found about 6 lurking...

Just trying to help out...all this stuff is for free and like I said, they are really helpful folks.

Ann