User:Ruud Koot/Dangerous file types

Executables

 * (386)
 * .COM:Executable [L1]
 * .CPL:Control Panel Extension [L1]
 * (DLL)
 * .EXE:Executable [L1]
 * .SCR: Windows screensaver [L1] [ZA}
 * (SYS)
 * (VXD)

Scripts

 * .BAS: Visual Basic Class Module [L1]
 * .BAT: Batch file [L1]
 * .CMD:Windows NT Command Script [L1]
 * .JS:JScript File [L1]
 * .JSE:JScript Encoded Script File [L1]
 * .SCT:Windows Script Component (FoxPro forms?) [L1] [ZA]
 * .VB:VBScript File [L1] [ZA]
 * .VBE:VBScript Encoded Script File [L1] [ZA}
 * .VBS:VBScript Script File [L1] [ZA}
 * .WSC:Windows Script Component [L1]
 * .WSF:Windows Script File [L1]
 * .WSH:Windows Scripting Host Settings File [L1]

Shortcuts

 * .PIF:Shortcut to MS-DOS program [L1]
 * .LNK:Shortcut [L1]
 * .URL:Internet Shortcut (Uniform Resource Locator) [L1]

Microsoft Office / Visual Studio

 * .ADE:Microsoft Access Project Extension [L1]
 * .ADP:Microsoft Access project [L1]
 * .app:Visual FoxPro Application
 * .DBX:FoxPro tabel [ZA]
 * .email:Outlook Express message
 * .eml:Outlook Express message
 * .MDA:Microsoft Access Add-in:Microsoft Access Project
 * .MDB:Microsoft Access Application [L1]
 * .MDE:Microsoft Access MDE Database [L1]
 * .mdt:Microsoft Access workgroup information
 * .mdw:Microsoft Access workgroup information
 * .MDZ:Microsoft Access Wizard Template
 * .NCH:Outlook Express Folder File [ZA]
 * .OPS:Office XP settings [L1]
 * .PRF:Microsoft Outlook Profile Settings [L1] [ZA]

Miscellaneous

 * .CHM:Compiled HTML Help File [L1]
 * .CRT:Security Certificate [L1]
 * .HLP:Windows Help File [L1]
 * .HTA:HTML Applications (Microsoft HTML archive?) [L1]
 * .INF:Setup Information File [L1]
 * .INS:Internet Naming Service [L1]
 * .ISP:Internet Communication Settings [L1]
 * .MHT: Web Archive File [ZA}
 * .mhtml: Possible Eudora meta-refresh attack
 * .MSC: Microsoft Common Console Document [L1] [ZA]
 * .MSI: Windows Installer Package [L1] [ZA]
 * .MSP: Windows Installer Patch [L1] [ZA]
 * .MST: Windows Installer transform / Visual Test Source File [L1] [ZA}
 * .PCD: Microsoft Visual Test compiled script (P-Code compiled test scripts) / Photo CD Image [L1]
 * .REG: Registration Entries [L1]
 * .SCF: Windows Explorer command [L1] [ZA}
 * .SHB: Shell Scrap object (Document shortcut) [L1] [ZA]
 * .SHS: Shell Scrap Object [L1] [ZA}
 * .WMS:Windows Media Skin [ZA]

Media

 * .ASX: [L1] [ZA]
 * .EMF: Enhanced Windows Metafile (Graphic format)
 * .EMZ: Compressed EMF
 * .WMF:Windows Metafile

External sources
http://www.waytotheweb.com/avspam/attach.htm deny \.cnf$ Possible SpeedDial attack deny \.ins$ Possible Microsoft Internet Comm. Settings attack deny \.jse?$ Possible Microsoft JScript attack deny \.lnk$ Possible Eudora *.lnk security hole attack deny \.ma[dfgmqrstvw]$ Possible Microsoft Access Shortcut attack deny \.pif$ Possible MS-Dos program shortcut attack deny \.scf$ Possible Windows Explorer Command attack deny \.sct$ Possible Microsoft Windows Script Component attack deny \.vb[es]$ Possible Microsoft Visual Basic script attack deny \.ws[cfh]$ Possible Microsoft Windows Script Host attack deny \.xnk$ Possible Microsoft Exchange Shortcut attack
 * 1) These are known to be dangerous in almost all cases.

deny \{[a-hA-H0-9-]{25,}\}$ Filename trying to hide its real extension
 * 1) Deny filenames ending with CLSID's

deny \s{10,} Filename contains lots of white space
 * 1) Deny filenames with lots of contiguous white space in them.

deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding
 * 1) Deny all other double file extensions. This catches any hidden filenames.

http://www.windowsitpro.com/Files/18/27072/Webtable_01.pdf

Web Table 1: Potentially Dangerous File Types Extension File Type Threat .ade, .adp, .and Access project files Can contain autoexecuting macros .asf, .lsf, .lsx Streaming audio or video file Can be exploited through buffer overflows, head malformation, or dangerous scriptable content .atf Symantec pcAnywhere autotransfer file Can initiate a pcAnywhere file-transfer session .bas Visual Basic (VB) class module Can be a malicious program .bat DOS batch file Can contain malicious instructions .cab Microsoft cabinet archive file Opens in IE and can help install malicious files .cer, .crt, .der Security certificate Can install a malicious certificate in IE to permit automatic downloading of malicious content .chm Microsoft compiled HTML Help file Can be used in IE exploits .cmd NT command script Can be used to script malicious batch files .com MS-DOS application Can be a malicious program .cpl Control Panel extension Can install a malicious Control Panel applet .crl Certificate revocation list (CRL) Can be a malicious list that can cause problems with valid certificates .css Cascading Style Sheets (CSS) Can be used in IE exploits .dll Windows DLL application Can contain malicious code .doc, .dochtml Word document Can contain malicious macros, scripting, and links .dot, .dothtml Word template Can contain malicious macros, scripting, and links .dsm, .far, .it, .stm, .ult, .wma Nullsoft WinAmp media file Can be used to launch malicious exploits .dun DUN export file Can contain malicious dial-up connection information that initiates outward calls .eml, .email Outlook Express email message Used by Nimda .exe Application file Can be used to launch malicious executables .fav IE Favorites list Can be used to list malicious Web sites .hlp Microsoft Help File Can be used in multiple exploits .ht, .htt Hyperterminal file Can initiate dial-up connections to untrusted hosts .hta HTML application Frequently used by worms and trojans .htm, .html IE HTML file Can initiate an IE session and be used to automatically download and execute rogue files .ini Application configuration settings file Can be used to maliciously change a program’s default settings .ins, .isp Internet communication settings Can be used to initiate Internet connections to untrusted sources .jar Java archive file Can launch Java attacks .jav, .java Java applet Can launch Java attacks .js, .jse JavaScript (encoded) file Can contain malicious code .lnk, .desklink Shortcut link Can be used to automate malicious actions .mad, .maf, .mda, .mas, Access-related files Can carry out macro manipulations that don't control Office security settings Page 2 .mag, .mam, .maq, .mar, .mat, .mav, .maw, .mdn, .mdt, .mdx .mdb, .mdbhtml Access application or database Can contain malicious macros .mde Access database with all modules compiled and source code removed Can contain malicious macros .mhtml, .mhtm MIME HTML document Can contain harmful commands .mim MIME file Could become a target of future MIME exploits .msc Management Saved Console file Can be used to gain privileged access or to cause damage .msg, .mmf Microsoft Mail or Outlook Express item Can be used to carry and execute malicious code .msi, .msp Microsoft Installer package Can be used to install or modify software .mst Microsoft Transform file, used during some installation programs Can be used maliciously .nws Outlook Express news message Can carry the Nimda virus or other malware .pdc VB compiled script Can contain dangerous code .pif Program information file Can run malicious programs .pl Perl script file Can contain rogue code .prf Outlook profile settings Can override default or trusted settings .ppt, .ppa, .pot, .ppthtml, .pothtml Microsoft PowerPoint presentation, add-in, or template file Can contain scripted exploits .pst Outlook or Exchange personal store file Can contain malicious attachments and be imported into Outlook or Outlook Express .py Python script file Can contain rogue code .reg Registry entry file Can create or modify registry keys .rtf Rich Text Format file Can script other attacks .scf Windows Explorer command Could be used maliciously in future attacks .scp DUN script Can initiate rogue outbound connections .scr Windows screen saver file Can contain worms or trojans .shs, .shb Shell scrap object Can mask rogue programs .slk Excel Symbolic Link (SLK) data-import file Can contain hidden malicious macros .stl Certificate trust list (CTL) Can induce user to trust a rogue certificate .swf, .spl Shockwave Flash object Can be exploited .url Internet shortcut Can connect user to malicious Web site or launch a malicious action .vb, .vbe, .vbs VBScript file Can contain malicious code .vxd Virtual device driver Can trick user into saving a trojan version of a legitimate device driver .wbk Word backup document Can contain dangerous macros .wiz Wizard file Could be used to automate future social engineering attack Page 3 .ws, .cs, .wsf, .wsc, .sct WSH file Can execute malicious code .xla, .xlb, .xlc, .xld, .xlk, .xll, .xlm, .xlt, .xlv Excel file types Can contain dangerous macros and code .xls, .xlshtml, .xlthtml Excel spreadsheet Can contain dangerous macros and code .xml, .xsl XML file Likely to be the next language of choice for malicious coders

http://www.trimmail.com/help/howto/dangerous_extensions_1/ * ad - Microsoft Access Project Extension * asp - Active Server Page * vsd - Microsoft Visio File Type * vss - Microsoft Visio File Type * vst - Microsoft Visio File Type * vsw - Microsoft Visio File Type

http://www.comptechdoc.org/independent/security/policies/antivirus-policy.html

3. app - Microsoft FoxPro application is executable code. 4. asp - Active server pages 13. csh 14. dll - Dynamic link library is executable code. Could be placed on your system then run by the system later. 16. fxp - Microsoft FoxPro is executable code. 24. ksh - Unix shell file 36. ops - FoxPro file 40. prg - "FoxPro program source file" 47. url - Internet address 48. vb - Visual Basic file 49. vbe - Visual Basic encoded script file 50. vbs - Visual Basic file 51. vsd 52. vss 53. vst 54. vsw 58. xsl - XML file may contain executable code 59. zip - Many viruses are commonly zipping files to keep them from being scanned and providing instructions to users about how to run the attachment. Many users still do this so to secure the network, it has become necessary to block this attachment type.

http://www.coa.edu/assets/it_downloads/vtutor.pdf

.386 Windows Enhanced Mode Driver. A device driver is executable code and, as such, can be infected and should be scanned. .ADE Microsoft Access Project Extension. Use of macros makes this vulnerable. .ADP Microsoft Access Project. Use of macros makes this vulnerable. .ADT Abstract Data Type. According to Symantec these are database-related program files. .APP Application File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs. .ASP Active Server Page. Combination program and HTML code. .BAS Microsoft Visual Basic Class Module. These are programs. .BAT Batch File. These are text files that contain system commands. There have been a few batch file viruses but they are not common. .BIN Binary File. Can be used for a variety of tasks and usually associated with a program. Like an overlay file it's possible to infect .BIN files but not usually likely. .BTM 4DOS Batch To Memory Batch File. Batch file that could be infected. .CBT Computer Based Training. It's never been made clear why or how these can become infected but Symantec includes them in their default listing. .CHM Compiled HTML Help File. Use of scripting makes these vulnerable. .CLA .CLASS Java Class File. Java applets are supposed to be run in a "sandbox" and thus be isolated from the system. However, users can be tricked into running an applet in a mode that the sandbox considers "secure" so Class files should be scanned. .CMD Windows NT Command Script. A batch file for NT. .COM Command (Executable File). Any executable file can be infected in a variety of ways. .CPL Control Panel Extension. Similar to a device driver which is executable code and, as such, can be infected and should be scanned. .CRT Security Certificate. Can have code associated with it. .CSC Corel Script File. A type of script file that is executable. Any executable should be scanned. http://www.cknow.com/VirusTutorial.htm (65 of 85)7/2/2005 7:27:53 AM Page 66 Computer Virus Tutorial .CSS Hypertext Cascading Style Sheet. Style sheets can contain code. .DLL Dynamic Link Library. Can be used for a variety of tasks associated with a program. DLLs typically add functions to programs. Some contain executable code; others simply contain functions or data but you can't tell by looking so all DLLs should be scanned. .DOC MS Word Document. Word documents can contain macros that are powerful enough to be used for viruses and worms. .DOT MS Word Document Template. Word templates can contain macros that are powerful enough to be used for viruses and worms. .DRV Device Driver. A device driver is executable code and, as such, can be infected and should be scanned. .EML or .EMAIL MS Outlook Express E-mail. E-mail messages can contain HTML and scripts. Many viruses and worms use this vector. .EXE Executable File. Any executable file can be infected in a variety of ways. .FON Font. Believe it or not, a font file can have executable code in it and therefore can be infected. .HLP Help File. Help files can contain macros. They are not a common vector but have housed a Trojan or two. .HTA HTML Program. Can contain scripts. .HTM .HTML Hypertext Markeup Language. HTML files can contain scripts which are more and more becoming vectors. .INF Setup Information. Setup scripts can be changed to do unexpected things. .INI Initialization File. Contains program options. .INS Internet Naming Service. Can be changed to point unexpected places. .ISP Internet Communication Settings. Can be changed to point unexpected things. .JS .JSE JavaScript. As script files become vectors more often it's best to scan them. (.JSE is encoded. Also keep in mind that these can have other, random, extensions!) .LIB Library. In theory, these files could be infected but to date no LIB-file virus has been identified. .LNK Link. Can be changed to point to unexpected places. .MDB MS Access Database or MS Access Application. Access files can contain macros that are powerful enough to be used for viruses and worms. .MDE Microsoft Access MDE database. Macros and scripts make this vulnerable. .MHT .MHTM .MHTML MHTML Document. This is an archived Web page. As such it can contain scripts which can be infected. .MP3 MP3 Program. While actual music files cannot be infected, files with .mp3 extensions can contain macro code that the Windows or RealNetwork media players will interpret and run. So, .mp3 files have expanded beyond pure music. .MSO Math Script Object. According to Symantec these are database-related program files. .MSC Microsoft Common Console Document. Can be changed to point to unexpected places. .MSI Microsoft Windows Installer Package. Contains code. .MSP Microsoft Windows Installer Patch. Contains code. .MST Microsoft Visual Test Source Files. Source can be changed. .OBJ Relocatable Object Code. Files associated with programs. .OCX Object Linking and Embedding (OLE) Control Extension. A program that can be downloaded from a Web page. http://www.cknow.com/VirusTutorial.htm (66 of 85)7/2/2005 7:27:53 AM Page 67 Computer Virus Tutorial .OV? Program File Overlay. Can be used for a variety of tasks associated with a program. Overlays typically add functions to programs. It's possible to infect overlay files but not usually likely. .PCD Photo CD MS Compiled Script. Scripts are vulnerable. .PGM Program File. Associated with a variety of programs; these files interact with such things as database programs to make them look like standalone programs. .PIF MS-DOS Shortcut. If changed can run unexpected programs. .PPT MS PowerPoint Presentation. PowerPoint presentations can contain macros that are powerful enough to be used for viruses and worms. .PRC Palmpilot Resource File. A PDA program (yes, there are rare PDA viruses). .REG Registry Entries. If run these change the registry. .RTF Rich Text Format. A format for transmitting formatted text usually assumed to be safe. Binary (and infected) objects can be embedded within RTF files, however, so, to be safe, they should be scanned. RTF files can also be DOC files renamed and Word will open them as DOC files. .SCR Screen Saver or Script. Screen savers and scripts are both executable code. As such either may contain a virus or be used to house a worm or Trojan. .SCT Windows Script Component. Scripts can be infected. .SHB .SHS Shell Scrap Object File. A scrap file can contain just about anything from a simple text file to a powerful executable program. They should generally be avoided if one is sent to you but are routinely used by the operating system on any single system. .SMM Ami Pro Macro. Rare, but can be infected. Source Source Code. These are program files that could be infected by a source code virus (these are rare). Unless you are a programmer these likely won't be a concern. Extensions include, but are not limited to: .ASM, .C, .CPP, .PAS, .BAS, .FOR. .SYS System Device Driver. A device driver is executable code and, as such, can be infected and should be scanned. .URL Internet Shortcut. Can send you to any unexpected Web location. .VXD Virtual Device Driver. A device driver is executable code and, as such, can be infected and should be scanned. .WSC Windows Script Component. Scripts can be infected. .WSF Windows Script File. Scripts can be infected. .WSH Windows Script Host Settings File. Settings can be changed to do unexpected things. .XL? MS Excel File. Excel worksheets can co

http://www.rselby.net/out2_3.htm Extension 	        File type .cer 	       Public key certificates .fxp 	       Visual FoxPro Compiled Program .ops 	       Office XP settings .prg 	       Visual FoxPro Program PST 	       Microsoft Outlook personal storage file