i get the special reserve news letter.
it talked about the badtrans virus and gave this link to the full article:
http://sp.reserve.co.uk/news/story.php?id=1305&af=uf271101

i opened it and had a read and apparently the virus sends itself as various file names, which all end in either .pif or .scr.
hmmmm... i didnt think these could be executed in the same way as an exe. i looked in the registry under HKEY_CLASSES_ROOT and found they were registered. ok. so i rename an exe to pif. it makes it a shortcut to an MS DOS app or something, BUT it retains its file size. when i renamed it the extension disappeared. i tried renaming it to .exe but its still a short cut. i looked for the file on my C drive but nothing. what the hells going on?? ARGH!!

skud.
Posted on 2001-11-27 14:16:27 by skud
I can't remember off the top of my head what a .pif file is for, but i can say that a .scr IS a standard PE executable, it is a screen saver. Genuine ones shouldn't run without taking a command line argument, which IIRC the standard ones are /p and /s.
Posted on 2001-11-27 14:27:33 by sluggy
Hi,
For the pif, well I can't say more than you said but for the scr file, just open one Screen Saver with a hexadecimal editor (Ultraedit is great, not only for that) and you'll see that it looks like a prog:
at the beginning there is 'MZ...' and then you can see 'This program cannot be run in DOS mode' and then 'PE'.
So it's a PE file in fact, and I'm pretty sure we can make ScreenSavers with asm32. So it's not so hard to make a virus hidden in a screensaver.

PS:you can also see .data & .code & .rsrc sections after the beginning.
If you want there is a section in the Win32hlp.

:) You can make a screensaver but, please, don't make a virus:mad: .
Posted on 2001-11-27 14:34:02 by Vom-bonjour:-()
A .PIF file is the "Program Information File" for DOS programs. It saves the Properties settings for a specific .EXE or .BAT file.

:)
Posted on 2001-11-27 14:36:53 by S/390
... and I think a .lnk is more or less the same as a .pif. Serves the
same purpose anyway. Now, the *reason* for using these file
extensions is that they are all ShellExecute()'able. Funny that windows
doesn't seem to care about the file extension, it executes the file
depending on it's contents. That's why it doesn't really matter if
you rename a .exe to a .com or the other way around (well, it didn't
matter back when I tested it =).

Now, it's not just *any* ShellExecute()'able file extension you can
use. I think to succeed it needs to be handled internally by windows
(ie, you can't make notepad.mp3), and it has to be something windows
recognizes as "executable".

Skud, do you have "show file extensions for known files" turned
off? That might explain erratic behavior when renaming files. Everybody
should really show their file extensions, hiding them is one major
reasons these trojans (virii? Hah!) are able to spread. That, combined
with the stupidity and hornyness of many people.
Posted on 2001-11-27 14:42:57 by f0dder
The strangest one I heard of was a "virus-like"
activity caused by a .pdf Acrobat file which would
work it's magic if it was double-clicked on a
machine with the full version of Acrobat, not just
the Reader.

farrier
Posted on 2001-11-27 15:15:06 by farrier