Text File Virus

By JorgeIvan
in Back Page News

 Share

Recommended Posts

Grand Master

JorgeIvan

Posted
Posted (edited)

This article is about how its sort of possible to write a virus and rename the extension to .txt and for it to execute when the user double clicks on a .txt file. Also Microsoft should fix up this problem before someone writes a virus using this technique.

DISCLAIMER: I AM NOT RESPONSIBLE FOR ANYHTING YOU DO WITH THE INFORMATION IN THIS ARTICLE. YOU AGREE TO ABIDE BY THIS CONDITION BY READING THIS ARTICLE. IF YOU DONT AGREE WITH THIS DONT READ THIS ARTICLE.

Short Intro:

The idea that a user could not get malicious code run on your computer from a .jpg file became false recently. And now for the first time it could be possible to get infected with a text file if it has not allready happened before. (well close to it anyway.)

Recently a article was published on astalavista by Geoff Vass from Australia about how cmd.exe can launch files with a .txt extrension as executables.

In the article it basically said that if you rename a .exe file to .txt and open cmd.exe and run it from cmd.exe it will run as a executable. It went on to say that he emailed microsoft about it and coincidentally shortly after microsoft released a warning about it. To qoute the article directly it said.

Quote:

"So I had an email conversation with the fellas at [email protected] and they felt it was not a problem and would not be changing the behaviour.

Coincidentally, shortly after MS issued KB811528 which says that CMD.EXE

looks at the header of the file and because it is an executable, executes it

and that you should only run code from trusted sources (blah blah blah)."

Unquote:

Note:

If you want to read the full article by Geoff Vass first it is included with this article in the folder called "Article By Geoff Vass" and the file name of "txtrant.txt".

He went on to say that you could hide malicious code in .txt extensions and virus scanners might not scan it and hackers can use it to hide malicious code. He also said that for a .txt virus to actually execute the user will need to open up the command prompt and execute it.

So I thought about it for a while and realized you could just send a virus as a .zip attachment and inside the zip file would be 2 Files. The first file would be a virus but with the actual extension renamed to .txt and perhaps hidden(seeing that the default setting is not to show hidden files). For the purpose of clarity lets just say this file is called "virus.txt"(of course a virus writer could name it whatever they wanted [duh]). The second file would be a shortcut with the following command.

"cmd.exe /c virus.txt"

In case you dont know what that command does it would execute "virus.txt" as an executable and close after the virus has finished installing.

You could also use a command like the following that would erase something of your choice and you would not need two files in the .zip attachment.

"cmd.exe /c del /q c:\windows\*.*"

Also the shortcut file icon is replaced with a text icon.(There is a text icon included with this article). So now the shortcut looks like a text file. It could be named readme.txt and of courseyou cant see the .lnk extension on shortcuts so it would look like a normal text file even if file extensions are shown.

You can change the icon of the shortcut if you go into the properties of the shortcut and click shortcut and click change icon and use the icon included with this article. You could also go to layout(in the properties section still) and have the windows size reduced so that the height is 1 and the width is 1 to make the command prompt windows smaller. Plus you could change the Window position to 999 on both width and height so the user can't even see it.

You can also rename the .txt extension on the actual virus to anything you want such as .jpg and i think anything else too.(I dont think it will execute if the file has no extension though). But give it a try.

The only bad part about it is that the shortcut will have a little arrow in its corner but its more tempting to click that than a .exe file.

Hopefully this will give Microsoft more reason to change cmd.exe so that it does not launch all file types as executable.

Files Included with this Article:

Files included with this article are a text icon in the icon folder, the Article by Geoff Vass from which i thought of this simple idea.(Thanks Geoff). And in the virus folder are a sample virus but the program that the shortcut launches is not a virus. It is just a program to test your cpuspeed.(If you wanted a real virus there you can make your own and use this technique to launch it).

Author: A+

Email: [email protected]

Attachment removed. Please don't attach files that could potentially be harmful to users

Edited by configure
Link to comment
https://www.neowin.net/forum/topic/224440-text-file-virus/
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Apple reluctantly forces strict new age checks on Texas users starting today

      By excalpius · Posted

      Unsurprisingly, there's what the law says and what the old white wealthy males legally enforce...
    • [NEWS] Over 105000 games are available to play on Linux.

      By Circaflex · Posted

      Or anything online that requires an anti-cheat
    • Here is the new Surface Laptop Ultra wallpaper in high resolution

      By FunkyMike · Posted

      Gf needed a new Surface and was looking at a Surface Laptop because of the Snapdragon. Seeing as it was a two year old chip she just decided to get a Lenovo Yoga 2 in 1 instead. Personally this Surface Ultra Cassis reminds me a bit of Razor. It would be interesting if it could handle proper gaming and be 17 inch.
    • [NEWS] Over 105000 games are available to play on Linux.

      By Case_f · Posted

      No idea, frankly, I'm not into minimum requirements gaming, but it would be an interesting test to find out. Also, I just have to point out that it wasn't my intention to downplay the performance of DXVK on Linux or Linux gaming in general (despite my own experience being a bit of a mixed bag). I just thought it would be good to point out that DXVK is not Linux exclusive and that you can benefit from using it even in Windows.
    • Fastfetch 2.64 released bringing new logos and other improvements

      By David Uzondu · Posted

      Fastfetch 2.64 released bringing new logos and other improvements by David Uzondu Fastfetch, the popular command-line system information tool that developers created as a fast alternative to the classic Neofetch utility, has updated its codebase to version 2.64, bringing experimental scripting power, streamlined compilation options, a smarter logo renderer, and Codec module support. As noted earlier, Fastfetch can now detect hardware-accelerated video codecs across Windows, macOS, Linux, and Android through this new Codec module. On Linux and BSD, the utility uses VA-API by default, with a fallback to VDPAU on Nvidia hardware if compiled with libva and libvdpau. Windows users get D3D12VA on Windows 11 or D3D11VA with Media Foundation Transforms on older systems, while macOS relies on VideoToolbox and Android utilizes AMediaCodec. You can manually toggle Vulkan Video via the config file, and the program will report both encoders and decoders unless configured otherwise. Logo support for Quasar, Origami, Origami_small, NixOS2, and BerserkArch also landed in this release. BerserkArch, if you have never heard of it, is a specialized Arch Linux derivative that targets security researchers and power users. This distro comes with an offensive security tool manager, simply called berserk, which allows users to install complex hacking toolkits with single terminal commands. Moving on, Fastfetch now has experimental scripting options for custom formats using Lua or QuickJS. The Lua integration supports versions 5.3 through 5.5, sharing a single interpreter instance across all modules so you can store variables globally. T Alternatively, if you prefer JavaScript, you can use QuickJS-ng version 0.15.0 or newer to evaluate your custom formats with the qjs: prefix. Other changes that version 2.64 brings include native CMake compilation flags to disable specific modules to shrink the final binary size. Users can delete unwanted ASCII logo files directly from the source directory before building to save additional space. The format engine now boasts ANSI-escape awareness, meaning you can center text with the new vertical bar specifier without breaking colored outputs. Haiku users receive preliminary support for boot manager, window manager theme, screen brightness, and other basic properties. Finally, the Linux edition now extracts desktop wallpaper and theme details from the modern COSMIC desktop environment.

  • Recent Achievements

    • Apprentice
      fernan99 went up a rank
      Apprentice
    • One Month Later
      nothanks earned a badge
      One Month Later
    • One Month Later
      B2Proxy earned a badge
      One Month Later
    • One Year In
      MadMung0 earned a badge
      One Year In
    • Week One Done
      jefred earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      474
    2. 2
      PsYcHoKiLLa
      247
    3. 3
      Skyfrog
      79
    4. 4
      FloatingFatMan
      78
    5. 5
      Michael Scrip
      59
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!