How to Use File Shredder to Permanently Delete Files

In the article “How to Securely Delete a File” we saw that using Windows to delete a file is not the way to do so securely. To completely delete a file you have to overwrite it multiple times with different patterns; something Windows has no capability to do. In this article we discuss how to use the free program File Shredder to securely delete files. [Click on pictures to expand them.]

File Shredder is a program that allows you to securely shred one or multiple files using algorithms up to the Guttmann 35-overwrite algorithm. The program will also overwrite and clear all of the free space on a disk and, if you wish, will install a link to the program into the right click context menu for Windows Explorer so that if you are in Explorer and right click on a file you will have an option to shred it or mark it for later shredding.

Installing File Shredder is easy. It comes with a Windows installer that operates much like any other Windows installer. The program installs into the C:\Program Files\File Shredder\ directory by default but you can change that if you need to.

Once installed, to start the program you need only double click on the program icon and you see the main screen…

File Shredder 01 Program Screen

The left menu controls the actions of the program. You have links for adding files or folders or removing them from the file list in the right side of the screen. Below those is a link to shred free disk space and below that is a link for Shredder Settings. That’s the first one you want to take so you can make the program behave as you wish…

File Shredder 02 Settings Dialog

If you want to have the File Shredder option appear in the right click context menu for Windows Explorer make certain the first box is checked. Because file shredding completely removes a file from your system you should also make certain the confirmations are all checked. If you were to make a mistake without confirmation the program would execute your command and if it’s a file you really wanted to keep they you’d have to restore from backups (you do keep backups don’t you!?). With confirmations at least you will have a second chance to bail out before making a mistake.

The Algorithms tab in the Settings dialog allows you to select the exact method you want used to overwrite and “shred” files…

File Shredder 03 DoD Setting

The DoD 5220-22.M standard of three passes over the file with specific patterns is the default selection. Unless you have very sensitive files to delete this will likely do. To recover anything at this level would require very advanced techniques and may not even be possible then. It’s also the fastest secure algorithm in the options. The other two to consider would be the 7 and 35-pass algorithms. These certainly will be more secure than the DoD but will take that much longer to execute. Your choice however. Use what you feel comfortable with.

The Visual Options tab presents options on how the program looks when started…

File Shredder 04 Visual Options

These should be pretty obvious selections. You likely want the program to be visible when you choose to run it and does anybody really want a small utility program to fill the entire screen when it starts???

After shredding individual files you might want to clear the free space on your hard disk. Why? Because the hard disk is divided into sectors of a given length and if a file does not have enough data to fill the last sector written to then whatever was in that sector stays on the disk and could be accessible to any utility that reads the disk byte by byte. If it just happens to be part of a previous version of your password file that data could be useful to someone. The link to clear free space is just above the Settings link in the left menu. When clicked you see the drives on your system…

File Shredder 05 Shred Free Disk Space

Check the one(s) you want to clear the free space on and then select the algorithm to be used. As before, the DoD is probably good enough for most uses unless you are really paranoid or have things that just should not see the light of day on your system. When done setting things up, click on the Next button…

File Shredder 06 Start Menu

The next screen provides some summary information with a Start button. Once the Start button is clicked the free space shredding begins. This can take significant time to complete depending on the size of your disk, the number of files on it, and a variety of other factors specific to each computer system. Do not start this process if you can’t let the computer run. The program will give you an option to abort the process if you need to but even that takes a bit of time while the program cleans up after itself before stopping the process.

Now that things are set up, let’s see the program in action. CKnow set up a test machine and ran the program against several copies of the same 2.4 megabyte file using different algorithms and captured the results in a Flash video. The results can be viewed by clicking on the graphic below…

Well, not quite yet. Still have to edit the video.
[Coming Soon]

Finally, File Shredder will add a shortcut to the right click context menu for Windows Explorer if you told it to do so in the settings above. This gives you the option of having quick access to the program from Explorer…

File Shredder 07 Secure Delete Files

You can see the result in the graphic above where CKnow right clicked on the File Shredder icon and then selected that option. You have the option to immediately shred the file in question using the defaults presently set in the program, mark the file for later shredding, or opening the program itself with the file selected.

That’s File Shredder in a nutshell. Interested in the program? Go to their page and read more or downloadWeb Link.

This article is part of a series about secure file deletion. The others in the series include: “How to Securely Delete a File” and “How to Use Moo0 FileShredder to Permanently Delete Files“. Related would be the article “What Files to Delete to Maintain Your Privacy [Coming Soon].”

Virus Tutorial Table of Contents

Table of Contents

The tutorial is designed to be read start to finish but should you wish to jump directly to a tutorial page, come back here and use the table of contents below…

Visual Basic Files

Visual Basic Script files can be used for malicious purposes; particularly in the role of worms.

The exploit popular earlier were Visual Basic Script (VBS) worms. What is VBS? Let’s see what Microsoft says:

Microsoft® Visual Basic® Scripting Edition, a subset of the Microsoft Visual Basic programming language, is a fast, portable, lightweight interpreter for use in World Wide Web browsers and other applications that use Microsoft ActiveX® Controls, Automation servers, and Java applets.

Basically, think about VBScript as a super batch language. VBScript is an interpreted language (so scripts are really the source code for whatever needs to be done). Scripts can be embedded into such things as Web pages or can be standalone files (with the extension .VBS usually).

If you’ve got Microsoft’s Internet Explorer 5 (or later) browser on your system it’s likely you also have the Windows Scripting Host (WSH) which is the program used to interpret and run VBS scripts.

Even though VBScript is a scaled down language it is quite capable and can be used to, for example, connect to Microsoft’s Outlook mail routines and send files to anyone in your address book. This, of course, makes it possible for VBScript to be a language used by worms to spread themselves.

VBScript can be disabled on your system. We have a page that tells you how to do this if you wish. [Update for XP and Vista]

In addition to disabling VBScript consider using a browser where script running can be controlled. One example of this would be the Firefox browser with the NoScript add-on. NoScript intercepts the HTML coming in and disables all commands to run things by default unless you approve the page. You can approve the whole page or just scripts from particular sources.

Summary

  • VBScript is a language that can easily be used to create worms that send themselves and possibly files from your computer to others on the Internet.
  • Consider turning scripting off to prevent your accidentally running a malicious script.
Up Arrow What Viruses Infect Up Arrow
Prior Page Next Page
Source Code Screensavers

Batch Files

Batch files can be used to transmit binary executable code and either be a virus or drop viruses.

While not often found, it is possible to write a batch file that contains a virus. In most cases the batch file is used to drop a memory or disk virus which then takes over when the computer is next started. These don’t always work, but it is interesting to briefly go over the design so you can possibly recognize this type of virus if you happen to see one.

One batch file virus takes the following form (it’s possible when this page displays you will receive a virus warning if you are running anti-virus software; don’t worry, it’s just triggering off the partial text below which has the virus code removed):

@ECHO OFF
:[ a label of specific form I won't mention ]
COPY %0.BAT C:\Q.COM>NUL
C:\Q
[ binary data ]

The first line causes batch file commands to not display on the screen so you won’t see what’s going on. The second line is a label as far as the batch file is concerned. In reality, this label is what makes the whole thing work so, of course, we’re not going to show any examples. The third line copies the batch file itself to an executable file named Q.COM in the root directory of the C: drive. The output of the COPY command is directed to the NUL device so you see nothing on the screen that indicates this copy took place. Finally, the fourth line executes the newly created Q.COM file.

On the surface you would think that trying to rename a .BAT file to .COM and execute it would result in nothing but errors. Normally, that is the case but the label changes all that. The text up to the label converts to instructions the CPU can execute, but they do nothing. When the label is “executed” this changes. The CPU interprets the label as instructions that cause the CPU to look ahead to the binary instructions in the batch file. These binary instructions are the real virus (or virus dropper).

There are several batch file viruses, but each works in a manner similar to that described above. The labels and batch file instructions may differ; but the method of operation is similar.

Use the characteristics of the virus described above to look for batch file viruses. If there are obscure labels (lines starting with a colon) at the start of a batch file, use caution. Most batch file labels are fairly straightforward words or names. Secondly, if you see a batch file that is several thousand bytes long yet when you use the DOS command TYPE to display it to the screen you only see a few lines, that is another tip-off. Most batch file viruses insert an end-of-file mark (Control-Z) between the batch file portion and the binary instruction portion.

Batch file viruses are not common; but be aware they do exist and have been seen in the wild. Indeed, a new worm version surfaced in early June 2002: Cup. This beast is complicated and arrives attached to an E-mail. If executed, Cup creates, executes, and sometimes deletes the files WORLDCUP_SCORE.VBS, EYEBALL.REG, JAPAN.VBS, ENGLAND.VBS, IRELAND.VBS, URAGUAY.VBS and ARGENTINA.BAT. The first file mass mails a file called WORLDCUP.BAT to your Outlook address book. The .REG file assures the worm is run at system start by changing the Windows registry. The worm has other payloads in the various .VBS files. So, you see that batch file viruses/worms can be fairly complicated.

Summary

  • Batch files can be used to transmit binary executable code and either be or drop viruses.
  • To detect these viruses look for two signs:
    • An odd label at the start of the batch file
    • A batch file that is too large for the text in it.
Up Arrow What Viruses Infect Up Arrow
Prior Page Next Page
Directories (Cluster) Viruses Source Code

Comments from original post:

charan raj
Said this on 2009-06-17 At 07:23 am
please send me some batch files viruses and hacking techniq.
#2
DaBoss
Said this on 2009-06-17 At 04:39 pm
In reply to #1
In the past these sorts of requests have come in via E-mail and I generally just deleted them without any comment or reply. I’ll do that with future comments of the same sort but just wanted to leave this one here to say that and show people that there are still people out there who don’t have a clue…and, in the case of these people that’s probably for the best. Sighhhhh….

#3
ayush rawat
Said this on 2010-02-05 At 02:42 am
hi,sir
please send me some batch files viruses and hacking techniq.
iam making a project on virus so i want to knw can i make a virus or antivirus
please tell me iam hoping a positive responce from you….. [In a word: NO –DaBoss]

#4
Edward
Said this on 2010-05-18 At 02:58 pm
Interesting article (randomly came across it whilst looking for workarounds to ‘goto “some nonexistant label”‘…yes I am new to batch.

I still haven’t fully understood why .com ignores the label colon. I would have thought that since : on its own is not a command, the parser would throw an error immediately, though I suppose a pipe then if errorlevel etc might allow you to carry on.

Anyway, just posting to say I find the above two ‘requests’ for building an antivirus extremely amusing. Like you said, fortunately they seem not to have a clue.

~cheers,

Some Virus Threat Details

These pages detail some techniques that various historical viruses/worms use to infect. A current threat feed is also provided.

These pages detail some techniques that various historical viruses/worms use to infect. There is not enough information here to enable you to write a virus (and please don’t ask for more — it won’t be sent!); however, you should get an idea of some past attempts at malware.

These are the viruses described here…

Legacy Viruses

Current Threats

The feeds here are provided by the sites mentioned and the information content belongs to those sites.


HungryFEED can't get feed. Don't be mad at HungryFEED. SimplePie reported: A feed could not be found at http://www.f-secure.com/exclude/vdesc-xml/latest_50.rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.


Threats RSS Feed - Symantec Corp.

Accurate and up-to-date information on the latest threats. A Threat is an application with the potential to cause harm to a system in the form of destruction, disclosure, data modification, and/or Denial of Service (DoS).

Risk Level: Very Low. Type: Trojan.
Posted: December 2, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: December 1, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: December 1, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 30, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 29, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 29, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 25, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 24, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 24, 2016, 12:00 am
Risk Level: Low. Type: Worm.
Posted: November 23, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 23, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 20, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 20, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 20, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 14, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 12, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 12, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 12, 2016, 12:00 am
Risk Level: Very Low. Type: Virus, Worm.
Posted: November 10, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 10, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 10, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 8, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 8, 2016, 12:00 am


Up Arrow Types of Viruses Up Arrow
Prior Page Next Page
Trusted Software or Site Back Orifice

On-going Virus Information

There are many sources for virus information; some are even accurate.

The first place to check often is the web site of your anti-virus provider. There you should find alerts for the latest viruses, information about using their product in the most efficient manner, and, of course, the latest updates. Often you will also find you can join a mailing list and receive upgrade and alert notices automatically via E-mail.

You can also check other anti-virus software vendor sites for their latest alerts and, if you have time and bandwidth to spare join their mailing lists as well. The tutorial has a list of anti-virus software vendors.

One good general information source is the About.com anti-virus site. It has links to software and information that can help you. The Guide at that site keeps the information fresh…

http://antivirus.about.com/Web Link

There are several usenet newsgroups dedicated to computer viruses. Of these, comp.virus is the best largely because it is moderated by virus experts so the trash postings are suppressed. Unfortunately, the moderator(s) have not been able to process messages very often and so the newsgroup has been quiet for a long time now. The alt.comp.virus newsgroup is often active as an alternative but there are a considerable number of posts in the group that offer either no benefit or are just plain wrong. Use caution if you read alt.comp.virus or any of the other related alt groups.

There are many more sources of information listed in the alt.comp.virus FAQ. It’s posted regularly to alt.comp.virus and comp.virus.

Specific Virus Descriptions

Some anti-virus vendor sites have databases describing specific viruses in varying detail. Check the FAQ link just above for some links or check the AVP, Data Fellows, Symantec, and McAfee vendors sites (click on the anti-virus software link).

Different vendors sometimes have different names for the same virus. If you can’t find a particular virus on one site, check another. You can also check the Virus GREP database which attempts to cross reference all the different virus names. See:

http://www.virusbtn.com/VGrep/Web Link

Books

Books which may be of use (a few of these are somewhat dated but still of some value for learning the basics):

Book - Viruses Revealed Book - Bigelow's Virus Troubleshooting Pocket Reference Book - Malicious Mobile Code Book - Virus Proof Book - Computer Viruses Book - A Short Course on Computer Viruses

No matter where you get your information, be certain you know the qualifications of the source. Something called the False Authority Syndrome often applies when it comes to virus information.

Current Threats

The feeds here are provided by the sites mentioned and the information content belongs to those sites.


HungryFEED can't get feed. Don't be mad at HungryFEED. SimplePie reported: A feed could not be found at http://www.f-secure.com/exclude/vdesc-xml/latest_50.rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.


Threats RSS Feed - Symantec Corp.

Accurate and up-to-date information on the latest threats. A Threat is an application with the potential to cause harm to a system in the form of destruction, disclosure, data modification, and/or Denial of Service (DoS).

Risk Level: Very Low. Type: Trojan.
Posted: December 2, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: December 1, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: December 1, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 30, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 29, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 29, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 25, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 24, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 24, 2016, 12:00 am
Risk Level: Low. Type: Worm.
Posted: November 23, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 23, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 22, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 20, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 20, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 20, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 18, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan, Virus, Worm.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 16, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 15, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 14, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 12, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 12, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 12, 2016, 12:00 am
Risk Level: Very Low. Type: Virus, Worm.
Posted: November 10, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 10, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 10, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 8, 2016, 12:00 am
Risk Level: Very Low. Type: Trojan.
Posted: November 8, 2016, 12:00 am


Summary

  • Anti-virus vendor sites are a good source of continuing information.
  • Follow discussions on the newsgroups with great care.
  • Know the qualifications of sources from which you get information.

Thank you for your attention. That’s the end of the tutorial itself. The remaining pages are stand-alone pages linked to by various other pages in the tutorial.

Up Arrow Virus Protection Up Arrow
Prior Page Next Page
Backup Strategy Miscellaneous Pages

Outlook and Outlook Express

This page will hopefully clarify some of the noted confusion about the ability of Outlook and Outlook Express to interact with worms and viruses.

This page will hopefully clarify some of the noted confusion about the ability of Outlook and Outlook Express to interact with worms and viruses. In many ways it’s a shame that Microsoft had to name the programs with such similar names. With different names the confusion that currently seems to exist would not.

Despite the similar names, Outlook and Outlook Express are two different programs with two different development histories.

The Outlook E-mail client was designed as a replacement for the mail clients MS Exchange and MS Mail. Basically, it’s a shoehorn of an Internet mail client into the proprietary MS Mail/Exchange clients.

Outlook Express was a rewrite and expansion of the Internet Email and News client that came with early Internet Explorer browsers (version 3 at least, not certain about version 2).

While Outlook 97 was a full OLE (MS Automation) client and server it did not make methods for accessing the address book and sending mail available to external users (the external user was assumed to know the address it wanted to send mail to). Apparently finding this too restrictive, Microsoft, in Outlook 98, made these interfaces available to external users to work with (i.e., the external user no longer needed to know an E-mail address, they could use addresses stored by Outlook). It’s this change that makes it possible for Outlook 98 (and later) to be used by virus/worm authors to do their E-mail tasks for them.

There presently does not appear to be a way to use the Visual Basic Application language tools built into Outlook for macro virus purposes (as you can with Word and Excel) but future changes may allow this. [STILL TRUE???]

Outlook Express, unlike Outlook, does not presently make any of its mail routines available to MS Automation (at least in all present shipping versions–who knows what the future may bring).[STILL TRUE???]

So, in general, when you see a worm/virus description talk about “Outlook” you can generally assume it means the Outlook program and not the Outlook Express program.

But, as with everything, there is at least one (and in the future more?) caveat. The KAK worm specifically targets Outlook Express by changing the default signature to one containing JavaScript code that acts as a worm. (This is a special case where it appears the worm author was trying to “infect” a program that was not supposed to be able to be infected.)

Up Arrow Virus Protection Up Arrow
Prior Page Next Page
Update Update Update Disable Scripting

File Extensions

There is currently a big push toward relying heavily on recognizing “bad” file extensions and acting solely on this knowledge. That’s not necessarily a good thing as extensions can be misleading.

One of the most asked questions lately is “What extensions should I scan and/or watch for in E-mail attachments?” While a valid question, some caveats must be attached to the answer.

First, it’s important to note that over time Microsoft (and others) appear to be working toward making file extensions as the sole indicator of file content and creator unnecessary. This already exists on the Macintosh where the file creator information is in the file itself so the file name and extension is no indicator at all of the type of file.

Such behavior is starting to appear under Windows as well. Microsoft Word, for example, will actually examine a file it’s asked to open and, despite the name ending in .DOC, if the file is a template file will open the file as a template (.DOT) file instead. Some Word macro viruses take advantage of this characteristic and save infected files in template format with a .DOC extension.

Another variant of this behavior on Windows computers would be the Scrap Object file which actually can contain most anything from simple text to complex programs. When opened, the operating system determines what the content is and acts accordingly.

Finally, there is the issue of double extensions. To make your viewing easier, Windows offers the option of turning off the viewing of file extensions. If you do that, however, you can easily be fooled by files with double extensions. Most everyone has been conditioned, for example, that the extension .TXT is safe as it indicates a pure text file. But, with extensions turned off if someone sends you a file named BAD.TXT.VBS you will only see BAD.TXT. If you’ve forgotten that extensions are actually turned off you might think this is a text file and open it. Instead, this is really an executable VisualBasic Script file and could do serious damage. For now you should always have viewing extensions turned on. Here’s how…

[Link to CKnow articles here for various operating systems.]

In Windows 98 double click to open “My Computer” and then select “View”|”Folder Options”. Select the “View” tab and then scroll down to the entry that says “Hide file extensions for known file types” and make certain it’s not checked. Click OK and then close the My Computer window. With this move you will now see extensions in file directory windows and the option will be picked up by other Microsoft programs like Outlook.

More generally, see the related discussion at this FILExt FAQWeb Link.

Extensions

So, with the thought in mind that file extensions are likely being phased out over time and can be spoofed, here are some to watch out for (“?” represents any character):

  • .386 – Windows Enhanced Mode Driver. A device driver is executable code and, as such, can be infected and should be scanned.
  • .ADE – Microsoft Access Project Extension. Use of macros makes this vulnerable.
  • .ADP – Microsoft Access Project. Use of macros makes this vulnerable.
  • .ADT – Abstract Data Type. According to Symantec these are database-related program files.
  • .APP – Application File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs.
  • .ASP – Active Server Page. Combination program and HTML code.
  • .BAS – Microsoft Visual Basic Class Module. These are programs.
  • .BAT – Batch File. These are text files that contain system commands. There have been a few batch file viruses but they are not common.
  • .BIN – Binary File. Can be used for a variety of tasks and usually associated with a program. Like an overlay file it’s possible to infect .BIN files but not usually likely.
  • .BTM – 4DOS Batch To Memory Batch File. Batch file that could be infected.
  • .CBT – Computer Based Training. It’s never been made clear why or how these can become infected but Symantec includes them in their default listing.
  • .CHM – Compiled HTML Help File. Use of scripting makes these vulnerable.
  • .CLA or .CLASS – Java Class File. Java applets are supposed to be run in a “sandbox” and thus be isolated from the system. However, users can be tricked into running an applet in a mode that the sandbox considers “secure” so Class files should be scanned.
  • .CMD – Windows NT Command Script. A batch file for NT.
  • .COM – Command (Executable File). Any executable file can be infected in a variety of ways.
  • .CPL – Control Panel Extension. Similar to a device driver which is executable code and, as such, can be infected and should be scanned.
  • .CRT – Security Certificate. Can have code associated with it.
  • .CSC – Corel Script File. A type of script file that is executable. Any executable should be scanned.
  • .CSS – Hypertext Cascading Style Sheet. Style sheets can contain code.
  • .DLL – Dynamic Link Library. Can be used for a variety of tasks associated with a program. DLLs typically add functions to programs. Some contain executable code; others simply contain functions or data but you can’t tell by looking so all DLLs should be scanned.
  • .DOC – MS Word Document. Word documents can contain macros that are powerful enough to be used for viruses and worms.
  • .DOT – MS Word Document Template. Word templates can contain macros that are powerful enough to be used for viruses and worms.
  • .DRV – Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
  • .EML or .EMAIL -MS Outlook Express E-mail. E-mail messages can contain HTML and scripts. Many viruses and worms use this vector.
  • .EXE – Executable File. Any executable file can be infected in a variety of ways.
  • .FON – Font. Believe it or not, a font file can have executable code in it and therefore can be infected.
  • .HLP – Help File. Help files can contain macros. They are not a common vector but have housed a Trojan or two.
  • .HTA – HTML Program. Can contain scripts.
  • .HTM or .HTML – Hypertext Markeup Language. HTML files can contain scripts which are more and more becoming vectors.
  • .INF – Setup Information. Setup scripts can be changed to do unexpected things.
  • .INI – Initialization File. Contains program options.
  • .INS – Internet Naming Service. Can be changed to point unexpected places.
  • .ISP – Internet Communication Settings. Can be changed to point unexpected things.
  • .JS or .JSE – JavaScript. As script files become vectors more often it’s best to scan them. (.JSE is encoded. Also keep in mind that these can have other, random, extensions!)
  • .LIB – Library. In theory, these files could be infected but to date no LIB-file virus has been identified.
  • .LNK – Link. Can be changed to point to unexpected places.
  • .M – MATLAB. On 22 April 2006 F-Secure announced a proof of concept virus called Lagob that infects MATLAB m-file source files. The code is prepended to the start of the m-file.
  • .MDB – MS Access Database or MS Access Application. Access files can contain macros that are powerful enough to be used for viruses and worms.
  • .MDE – Microsoft Access MDE database. Macros and scripts make this vulnerable.
  • .MHT or .MHTM or .MHTML – MHTML Document. This is an archived Web page. As such it can contain scripts which can be infected.
  • .MP3 – MP3 Program. While actual music files cannot be infected, files with .mp3 extensions can contain macro code that the Windows or RealNetwork media players will interpret and run. So, .mp3 files have expanded beyond pure music.
  • .MSO – Math Script Object. According to Symantec these are database-related program files.
  • .MSC – Microsoft Common Console Document. Can be changed to point to unexpected places.
  • .MSI – Microsoft Windows Installer Package. Contains code.
  • .MSP – Microsoft Windows Installer Patch. Contains code.
  • .MST – Microsoft Visual Test Source Files. Source can be changed.
  • .OBJ – Relocatable Object Code. Files associated with programs.
  • .OCX – Object Linking and Embedding (OLE) Control Extension. A program that can be downloaded from a Web page.
  • .OV? – Program File Overlay. Can be used for a variety of tasks associated with a program. Overlays typically add functions to programs. It’s possible to infect overlay files but not usually likely.
  • .PCD – Photo CD MS Compiled Script. Scripts are vulnerable.
  • .PGM – Program File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs.
  • .PIF – MS-DOS Shortcut. If changed can run unexpected programs.
  • .PPT – MS PowerPoint Presentation. PowerPoint presentations can contain macros that are powerful enough to be used for viruses and worms.
  • .PRC – Palmpilot Resource File. A PDA program (yes, there are rare PDA viruses).
  • .REG – Registry Entries. If run these change the registry.
  • .RTF – Rich Text Format. A format for transmitting formatted text usually assumed to be safe. Binary (and infected) objects can be embedded within RTF files, however, so, to be safe, they should be scanned. RTF files can also be DOC files renamed and Word will open them as DOC files.
  • .SCR – Screen Saver or Script. Screen savers and scripts are both executable code. As such either may contain a virus or be used to house a worm or Trojan.
  • .SCT – Windows Script Component. Scripts can be infected.
  • .SHB or .SHS – Shell Scrap Object File. A scrap file can contain just about anything from a simple text file to a powerful executable program. They should generally be avoided if one is sent to you but are routinely used by the operating system on any single system.
  • .SMM – Ami Pro Macro. Rare, but can be infected.
  • Source – Source Code. These are program files that could be infected by a source code virus (these are rare). Unless you are a programmer these likely won’t be a concern. Extensions include, but are not limited to: .ASM, .C, .CPP, .PAS, .BAS, .FOR.
  • .SYS – System Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
  • .URL – Internet Shortcut. Can send you to any unexpected Web location.
  • .VB or .VBE – VBScript File. Scripts can be infected. (.VBE is encoded.)
  • .VBS – Visual Basic Script. A script file may contain a virus or be used to house a worm or Trojan.
  • .VXD – Virtual Device Driver. A device driver is executable code and, as such, can be infected and should be scanned.
  • .WSC – Windows Script Component. Scripts can be infected.
  • .WSF – Windows Script File. Scripts can be infected.
  • .WSH – Windows Script Host Settings File. Settings can be changed to do unexpected things.
  • .XL? – MS Excel File. Excel worksheets can contain macros that are powerful enough to be used for viruses and worms.

The above listing has been derived from the default extension lists of various anti-virus programs and from discussions in virus-related newsgroups. It should not be taken as an absolute however. Some viruses/worms have been spread in files with no extension and, as noted, an extension does not necessarily guarantee a particular file type. The meaning for extensions not listed here might be found at http://filext.com/Web Link.

The safe option is to allow anti-virus software to scan all files although that may take a considerable amount of time.

Summary

  • While extensions are often touted as being accurate indicators of files that can be infected, history shows they are not. Additionally, they can be spoofed in a variety of ways.
  • The safe option is to allow anti-virus software to scan all files.
Up Arrow Virus Protection Up Arrow
Prior Page Next Page
AV Product Use Guidelines Safe Computing Practices

Comments from original:

brad
Said this on 2011-02-23 At 12:36 pm
Which file types cannot contain virus malware or the like?
or which cannot be exploited by virus or the like?

[Hard to answer. In general, ANY file type that has a component in it that can be executed either directly or as a macro or some other form of executable content could, in theory, be infected. These days that pretty much leaves pure text files out (but remember that batch file commands are in a pure text file so…). Now, that’s in theory. In practice it would be difficult to infect many of these but I know of no explicit list. For example, rich text files used to be proclaimed “safe” from infection but we now know that to be incorrect. Same for PDF files which, several versions ago, got the capability to contain executable content. So, it’s a moving target. Practically, most files are safe except maybe those that are defined as executable like EXE and script files. –DaBoss]