Invisible File Extensions in Windows

Invisible file extensions on Windows
By Floydman,
Bachelor in Computer Sciences
floydian_99@yahoo.com
Floydman@hacker.am
May 7th, 2001

Abstract

The goal of this paper is to present the research I made on invisible file extensions on the Windows operating systems. After I published my initial research material on various places on the internet, many people pointed me to bits of information that were already known on this topic, but that I didn’t know about. However, the experimentation I made brought this problem on a different angle than the other people’s previous work, and somehow complements it. In this paper, I will put together all I found on this topic so far. The ultimate goal is to find a)invisible file extensions, and b)can these invisible file extensions are able to run code, and thus be used to propagate a virus.

Preface

A little while ago, I was having a conversation with some of my colleagues about computer viruses. The “Life Stages” virus was mentioned during the conversation. This virus disguises itself via a file with extension .SHS, while pretending to be a .TXT file. This was possible because the .SHS extension is hidden by Windows, even if it is configured to display all files, all extensions (even for known file types) and the file actually passes for a (almost) real .TXT file. Following this conversation, I thought to myself “I wonder if there are any other file extensions with this attribute that could potentially be used in a virus design?”. This is what I found so far.

Targeted audience

This document is presented to anyone who has interests in computer security, viruses, operating systems and computing in general.

Special Thanks to : Tony, Ken Brown, JFC, Henri, Seva Gluschenko, Adam L. Simms and a couple others for your input in this paper and pointing me at good directions. Thanks also to the original researchers who found some of the things explained here.

Table of contents

1. Introduction
2. The .SHS file type
3. The NeverShowExt registry key
4. CLSID
5. The ability to execute code
6. Conclusion
Appendix A. The Perl script
Appendix B. The file extensions list

1. Introduction

A little while ago, I was having a conversation with some of my colleagues about computer viruses. The “Life Stages” virus was mentioned during the conversation. This virus disguises itself via a file with extension .SHS, while pretending to be a .TXT file. This was possible because the .SHS extension is hidden by Windows, even if it is configured to display all files, all extensions (even for known file types) and the file actually passes fot a (almost) real .TXT file. Following this conversation, I thought to myself “I wonder if there are any other file extensions with this attribute that could potentially be used in a virus design?”.

To do this research, someone suggested me that I plunder the registry, since all file extensions are (supposed) to be listed there. But the registry gives little if no information at all about what is the purpose of a certain file extension in the system, neither about what visual behavior they present to the user (which in turn can use the user gullibility to activate a virus). What was interesting me if how Windows presents the file via the GUI, not just the list of extensions recognized by Windows. Also, I didn’t really trust the registry to hold all and every file extension it uses all in the same place (after all, we trusted it to display all file information, didn’t we?).

It was only after that some people pointed me some research on this topic that was done about a year before. It turns out that the invisibility is caused by a registry key named NeverShowExt. Knowing this, finding invisible extensions becomes a breeze, but back then I didn’t know this and looking in the registry to find you-don’t-exactly-know-what-you’re-looking-for was like searching a needle in a haystack. So I made a Perl script that would generate all possible combinations of 1, 2 and 3 characters long file extensions. I did not test 4, 5 and more letters file extensions, because I did not have the time to plunder through all the possible combinations. But as I have been pointed out, the Windows operating system supports file extensions longer than 3 letters (.HTML is the prime example). Also, the registered file types will vary from one computer to another, since this is tightly related to the installed applications. Some applications will also rename common known file types to their own application name. For these reasons, and also because didn’t want to spend the time to put all the extensions names right, I simply put it on the list as it was identified in my Windows Explorer. This list is given as extra side-information, but should not be considered as “the ultimate windows file extensions list”. But since Seva Gluschenko took the time to send me many corrections, I have updated the list accordingly.

2. The .SHS file type

The most known file type that is invisible is .SHS, since the “Life Stages” virus used this “feature” to camouflage a virus in what looked like an innocent .TXT ascii file. But the most common invisible file type is used by practically everybody, and that is the .LNK, which are the shortcuts you use on your desktop or menus to open up applications and files. We use to take these shortcuts as an object of the operating system, but in fact they are only small files, with a hidden .LNK extension appended to it.

So, back to .SHS, it stands for Shell Scrap. It’s an old dinosaur from Windows 3.1 that have been mostly unknown until only a couple of years ago. It is used for OLE (Object Linking and Embedding), and using a Shell Scrap, you can just include any file you want, even an executable, in a Word document, for example, and the system will open it for you. The .SHS file will bear an icon reassembling somewhat the one of Notepad, but still slightly different (the bottom of the page is ripped). The .SHS extension itself is invisible, as we said, so you can make it look like it is something else.

For an excellent overview of Shell Scraps, see http://www.pc-help.org/security/scrap.htm.

3. The NeverShowExt registry key

At this point, I should clarify that when I say that a file extension is invisible, I mean that it is not showing in Windows Explorer, even if you have specified every configuration options to display everything there is to display(“Show hidden files and folders”, “Hide file extensions for known file types”, “Hide protected operating system files”). Although, if you look at these file by displaying the content of a directory in a DOS box, then you’ll see the whole filename and extension(s). The component in Windows that makes some files display this kind of behavior is a registry key named NeverShowExt. Here is an example of how this is used in the registry:

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@=”Scrap object” REG_SZ
“NeverShowExt”=”” REG_SZ

Here are the file extensions that were invisible (or displayed other non standard behavior) by default on my system:

.cnf SpeedDial (Extension not visible)
.lnk Shortcut (Extension not visible)
.mad Microsoft Access Module Shortcut (Extension not visible)
.maf Microsoft Access Form Shortcut (Extension not visible)
.mag Microsoft Access Diagram Shortcut (Extension not visible)
.mam Microsoft Access Macro Shortcut (Extension not visible)
.maq Microsoft Access Query Shortcut (Extension not visible)
.mar Microsoft Access Report Shortcut (Extension not visible)
.mas Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat Microsoft Access Table Shortcut (Extension not visible)
.mav Microsoft Access View Shortcut (Extension not visible)
.maw Microsoft Access Data Access Page Shortcut (Extension not visible)
.pif Shortcut to MS-DOS Program (Extension not visible)
.scf Windows Explorer Command (Extension not visible, generic icon)
.shb Shortcut into a document (Extension not visible)
.shs Scrap object (Extension not visible)
.uls Internet Location Service (generic icon)
.url Internet Shortcut (Extension not visible)
.xnk Exchange Shortcut (Extension not visible)

Here is a command line directory listing of some test files I made:

dir test.*
Directory of C:\TEMP
2001-03-30 12:49 7 test.cnf
2001-03-30 12:49 7 test.lnk
2001-03-30 12:49 7 test.mad
2001-03-30 12:49 7 test.maf
2001-03-30 12:49 7 test.mag
2001-03-30 12:49 7 test.mam
2001-03-30 12:49 7 test.maq
2001-03-30 12:49 7 test.mar
2001-03-30 12:49 7 test.mas
2001-03-30 12:49 7 test.mat
2001-03-30 12:49 7 test.mav
2001-03-30 12:49 7 test.maw
2001-03-30 12:49 7 test.pif
2001-03-30 12:49 7 test.scf
2001-03-30 12:49 7 test.shb
2001-03-30 12:49 14 test.shs
2001-03-30 12:43 7 test.shs.txt
2001-03-30 12:42 7 test.txt
2001-03-30 12:42 7 test.txt.shs
2001-03-30 12:42 7 test.uls
2001-03-30 12:49 7 test.url
2001-03-30 12:49 7 test.xnk

On the explorer-like tools that look appears as test, test, test, test,
test, test, test, test, test, test, test, test, test, test, test, test,
test.shs.txt, test.txt, test.txt, test.uls, test, test.

Of course, if I would have taken some time to do some research on internet, I would have known this, and then I would have made a simple search for “NeverShowExt” in the registry, and voilà(<–BTW, this is how this word is really spelled), I would have had the list of extensions that were invisible on my computer. This “feature” can be added to any extension, and it can also be removed (by adding or deleting the NeverShowExt keys in the registry).

4. CLSID

Excerpt from http://msdn.microsoft.com/library/psdk/com/reg_6vjt.htm
“CLSID Key
A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, then you need to register a CLSID for each supported class of objects.

Registry Entry
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID = <CLSID>

Value Entries
<CLSID>
Specifies a name that can be displayed in the user interface.
Remarks
The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state. To obtain a CLSID for your application, you can use the UUIDGEN.EXE found in the \TOOLs directory of the COM Toolkit, or use CoCreateGuid. The CLSID is a 128 bit number, spelled in hex, within a pair of braces.”

Shortly after I posted my initial research material, I was contacted by Adam L. Simms about an e-mail thread concerning hidden CLSID extensions. Curious to know more on this topic, he forwarded me a part of the e-mail thread containing information about this. As we have seen at the beginning of this chapter, a CLSID is a unique-number descriptor to register applications in an object liking an embedding scheme. In Windows, applications and the various file extensions they are using are closely related. This is why, for example, a .DOC file is associated to the Word application. Well, as it turns out, you can create a file, and instead of putting a normal file extension as we normally do, we can put the associated CLSID as the file’s extension. But what’s more interesting, it’s that the file will automatically assume the properties of the associated file extension, and the extensions itself will be invisible.

Here are some examples of CLSID:

html application (.HTA) {3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
mhtml document {3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
xml {48123bc4-99d9-11d1-a6b3-00c04fd91555}
xsl {48123bc4-99d9-11d1-a6b3-00c04fd91555}
html {25336920-03F9-11cf-8FD0-00AA00686F13}

I made some tests to verify the extent of this “feature”, and the results surprised me very much. I created some files using the html_application and html CLSID above. I also created similar files with their associated extensions. I also made some files using randomly chosen CLSID from my registry. While looking at the registry for these extensions and CLSID in [HKEY_CLASSES_ROOT], I also found several descriptors that looked like Access.ShortCut.Macro, Amovie.ActiveMovie Control and CDDBControl.CddbURLManager. Now knowing about the CLSID problem, I found it wise to test a few of these also, just in case 😉

In DOS, the files looked like

Volume in drive D is CD
Volume Serial Number is 443F-FFED
Directory of D:\work\temp

. <DIR> 05-08-01 12:35a .
.. <DIR> 05-08-01 12:35a ..
TEST HTA 0 05-08-01 12:36a test.hta
TESTTX~1 {25 0 05-08-01 12:37a test.txt.{25336920-03F9-11cf-8FD0-00AA00686F13}
TESTTX~1 HTM 0 05-08-01 12:38a test.txt.html
TEST PIF 0 05-08-01 12:38a test.pif
TEST~1 PIF 0 05-08-01 12:38a test.piffile
TESTAC~1 APP 0 05-08-01 12:39a test.Access.Application
TESTAC~1 1 0 05-08-01 12:40a test.Access.ShortCut.Macro.1
TEST~1 {9E 0 05-08-01 2:49p test.{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}
TEST~1 {9C 0 05-08-01 2:53p test.{9CBBB803-D654-11D1-8818-C199198E9702}
TEST~1 {94 0 05-08-01 2:55p test.{944d4c00-dd52-11ce-bf0e-00aa0055595a}
TEST~1 {30 0 05-08-01 4:26p test.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
11 file(s) 0 bytes
2 dir(s) 580,976,640 bytes free

In Windows Explorer, the file names are displayed as test, test, test, test, test.Access.Application, test.Access.ShortCut.Macro.1, test.hta, test, test.piffile, test.txt and test.txt.html. However, the “Type” column displays the following information (in the same order): HTML Application, DirectDraw Property Page, SwiftSoft MMLEDPanelX Control, {9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}, APPLICATION File, 1 File, HTML Application, Shortcut to MS-DOS Program, PIFFILE File, Microsoft HTML Document 5.0, Microsoft HTML Document 5.0. It should also be noted that the icons associated with these files were the generic file icon, except for the following: test.{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} displays an enveloppe icon; as in an e-mail software, test.pif have a little arrow on its icon, just like any shortcut link; and the two files identified as Microsoft HTML Document 5.0 have the Internet Explorer icon. It should be pointed out that results may vary.

We can see that Windows Explorer assimilates rather easily CLSID extensions, hiding from view in the file name itself, and translating it to it’s corresponding file type in the Type column. This makes it even easier than with Shell Scrap to make dangerous files look innocent to the blind-trusting user, who probably have is Windows Explorer display on “Small Icons” instead of “Details”, with other configuration by default.

5. The ability to execute code

The ability to make a file look like a different type of file, by hiding the file’s extension for example, was only the first aspect of the research project. For a virus to be viable, we also need to be able to run code. From the list of hidden extensions displayed in chapter 3, I wanted to find out which of these extensions could be used to execute code, which means that it can potentially be used to propagate a virus or other type of malware. My point? That current mail filtering softwares that block certain types of attachment simply don’t work. I never thought that this method was a sufficient guard to protect against viruses, since these software will always block the same commonly-used file extensions like .EXE, .COM, .VBS, .SHS, .DLL and the like. But these softwares weren’t blocking .SHS before IRC/Stages.worm (Life Stages). And the same will happen when a virus uses one of the flaw described in this paper to propagate itself, because of mainly two things: 1)the products are not proactive, they are reactive, i.e. the software (or software makers) make very little efforts to block never-used-before file extensions that can spread viruses and will update their products accordingly only after it have been ssen in the wild, and 2) people still use some version of Outlook, which is the weakest link of the chain. Instead of reinforcing the chain by replacing the weakest link, they reinforce the other links of the chain, so it is sure that the weakest link (Outlook in this case) will be the culprit when the next virus hype comes on their PCs and networks (the chain breaks). I’ll cite as an example the last place I worked at. They were an IT shop that purchased some months back a small computer security firm, because they decided that they wanted to sell security(!). They were using Outlook, even if people from the security shop (including me) tried to convince them that it was not a good idea. The risks were too great to be infected and have a virus send itself to our customers from our mailboxes. That would kill all our credibility right there. But they decided to keep it, and even forced us to use it, so we could be using the same software as everybody else. Guess what happened? Yep! One morning, 2 PCs got infected with the charmant Kournikova virus, sending some copies of itself internally. Luckily, the 2 people disconnected their PC right away and this prevented any customers to receive the virus from us. That was a close call. The Kournikova virus slipped our firewall (which makes sense, since one is not designed to block the other), our MailSweeper box that filters e-mails against bad attachments, and the Norton Antivirus installed on the PCs. Had they not been using Outlook, the infection would have never occured.

In fact, the CLSID vulnerability (let’s call things with their real names) only makes the problem worse than I originally estimated. While at the beginning of this project, I was worried that unknown file extensions could be used to fool people to click on it and activate virulent code, now thanks to CLSID we also have to worry about already known file extensions as well, as they can be made invisible too without even thinkering with the system (as opposed to the NeverShowExt registry key, which needs to be added in the registry in order to hide a “normal” extension) and unblocked by filtering software (does your mail filtering agent blocks attachements of the {48123bc4-99d9-11d1-a6b3-00c04fd91555} type?). To have an idea of how many systems objects are defined by CLSIDs, check out the registry under [HKEY_CLASSES_ROOT\CLSID]. Just about every component of all the software you know about on your machine is there, and there is even more from the software you probably didn’t even know about. That means you can create a file of any defined type in the system and hide it’s properties by changing the file’s extension by the corresponding CLSID.

The “executability” of a given extension is a relative thing, the things you can and cannot do varies from one file type to another. As one reader noted, you can have different type of “executable files”. The first type, the more common, files that contains code that is activated by the OS when the file is launched. This includes, but is not limited to, .EXE, .BAT, .COM, .VBS, .PL and the like. The second type ressembles the first type very much, but the code will be run in a sandboxed environment, instead of running with full privileges. Such files would be .HTML, .PS and .JS. Then some extensions contain executable fully-priviledged code, but cannot be ran directly: .386, .ASP, .DLL, .DRV and .VXD. Finally, some files contains code that can be runned in a sandboxed envrironment, but cannot be executed directly from the OS. Such a file type is .CSS.

This research focuses mainly on the first type of files, but the other types can probably be used on some attack scenario too. It’s mostly a matter on ingenuity and imagination to find new ways to do old things 🙂 The thing is to find out if the extensions displayed in chapter 3 can be used to run code. I haven’t done much testing on this topic yet (if you happen to play on this topic, let me know of your findings), but it would appear that it is feasible. For example, .CNF (SpeedDial) could potentially be used to make a file that once cliked on, would hang up the modem and make it call a number overseas for phone fraud purposes. Preliminary testing shows that the conditions needed for this scenario to be possible makes it very unprobable to happen in the wild, but technically feasible. But who knows what these other extensions hold? And when you think that still a lot of people are gullible enough to click on a .TXT.VBS file, think what will happen when the .VBS part will be concealed with .{B54F3741-5B07-11cf-A4B0-00AA004A55E8}?

6. Conclusion

Unfortunately, I have not really discovered anything new here (altough I wish I had, but others explored these topics before me), but this paper puts in one place all there is to know about invisible file extensions on Windows, and how this can be exploited to convince a computer user to double-click on a executable file, be it to propagate a virus or to plant a trojan horse. At the light of what is presented here, it is also easy to see the uselessness of software that scans mail in order to block certain type of files, while allowing others (for example, MailSweeper, MailSafe in ZoneAlarm, etc…). A more secure strategy could be by determining allowed file type, and blocking everything else, a bit like in a firewall which allows specific protocols, and blocks everything else. But the main reason why this type of products are useless against this type of attack is primarily because Windows contains these flaws. When I think that the average user still clicks on any attachment he receives, concealed or not, that tells me that this is not the end of the story, and that there will be many other I Love You and Anna.Kournikova viruses to come.

Appendix A. The Perl script

Originally, in order to solve my problem, I made a small Perl script that generates dummy files wearing all possible file extensions under Windows. I included special characters in my analysis, to be sure that nothing is overlooked. The program is displayed below. That version is for 3-characters extensions, remove one or two loops to make 2-characters and 1-character extensions. For analysis clarity, I sorted the files under folders starting by the first letter of the extension. This is necessary for having decent refresh times from Windows Explorer. I also stopped at 3-letters extensions, since four letter extensions would have generated too many combinations to look at, but that doens’t mean that they don’t exist (.html, for example). The Perl script is provided here as reference material, and can be used or modified to repeat similar experiences.

#!C:\perl
@alpha=(“a”,”b”,”c”,”d”,”e”,”f”,”g”,”h”,”i”,”j”,”k”,”l”,”m”,”n”,”o”,”p”,”q”,”r”,”s”,”t”,”u”,”v”,”w”,”x”,”y”,”z”,”0″,”1″,”2″,”3″,”4″,”5″,
“6”,”7″,”8″,”9″,”\$”,”_”,”)”,”(“,”&”,”^”,”%”,”#”,”@”,”!”,”‘”,”-“,”=”,”+”,”;”,”[“,”]”,”{“,”}”);
for($i=0;$i<55;$i++)
{
mkdir $alpha[$i];
chdir $alpha[$i];
for($j=0;$j<55;$j++)
{for($k=0;$k<55;$k++)
{
$ext=$alpha[$i].$alpha[$j].$alpha[$k];
$filename=”test.”.$ext;
open (TESTFILE, “>>”.$filename);
print TESTFILE “bla”;
print “#”;
close (TESTFILE);
}
}
chdir “..”;
}

Appendix B. The file extensions list

Once these extensions were generated, I examined all 169 455 combinations through Windows Explorer, in order to determine the system behavior towards these files. The biggest majority of these files turned out to be generic file extensions, meaning that no application is associated with them, and as such represents no harm in the aspect of this research. So I proceeded to extract all file extensions that Windows knew something about, by examining the file icon and file description. Some of these extensions are native to the Windows operating system, some others are the result of application softwares installed on my machine. For this reason, we can’t qualify this list as “the ultimate file extension list under Windows”, since a system configured for different needs would have produced a different list. However, the list presented here is somewhat complete and is a good reference material. Some application softwares also identify some file extensions with the application name, instead of the more generic extension name (for example, .wav is labeled WinAmp media file). I did not take the time to correct these entries, but I have received some corrections from JFC and Seva Gluschenko, so I have updated the list accordingly, along with remarks about the presence of NeverShowExt or if the files are considered to be executable (question mark ? means possible executable file, but not tested). Executable means it is covered by one of the four types of executability discussed in chapter 5.

This list is provided as is, and is only a by-product of my original research. There could be mistakes or ommissions, if this is the case, simply notify me and I will update the list accordingly. You can always check out the website http://filext.com for a more complete list.

.323 H.323 Internet Telephony
.386 Virtual Device Driver – Executable

.669 WinAmp media file

.aca MS Agent Character file
.acf MS Agent Character file
.acg MS Agent Preview file
.acs MS Agent Character file
.ade MS Access Project Extension – Executable
.adn MS Access Blank Project Template – Executable
.adp MS Access Project – Executable
.aif Mac .aiff Sound Clip
.ani Animated Cursor
.arc PkArc DOS archive
.arj ARJ archive
.art ART image
.asa Active Server Document
.asf Streaming Audio/Video File
.asp Active Server Document – Executable
.asx Streaming Audio/Video shortcut – Executable
.au AU Format Sound
.avi Video clip
.awd Fax Viewer Document

.b64 base64-encoded file
.bas Visual Basic Class Module – Executable
.bat MD-DOS Batch file – Executable
.bhx Mac BinHex-encoded file
.bmp Bitmap Image

.c C source code
.cab Windows propietary archiver
.cat Security Catalog
.cda WinAmo media file
.cdf Channel File
.cdx Active Server Document
.cer Security Certificate
.chm Compiled HTML Help file – Executable
.cil Clip Gallery Download Package
.cmd Windows NT Command Script – Executable
.cnf SpeedDial (NeverShowExt) – Executable
.com MS-DOS Application – Executable
.cpl Control Panel extension – Executable
.crl Certificate Revocation List
.crt Security Certificate
.css Cascading Style Sheet Document – Executable
.csv MS Excel Comma Separated Values file
.cur Cursor

.dcx DCX Image Document
.der Security Certificate
.dic Text Document
.dif MS Excel Data Interchange Format
.dll Application Extension – Executable
.doc MS Word Document
.dot MS Word Template
.dqy MS Excel ODBC Query file
.drv Device Driver
.dsm WinAmp media file
.dsn MS OLE DB Provider for ODBC Drivers
.dun Dial-Up Networking Exported file
.drv Device Driver – Executable

.eml Outlook Express Mail Message
.exc Text Document
.exe Application – Executable, by definition

.far WinAmp media file
.fav Outlook Bar Shortcuts
.fdf Adobe Acrobat Forms Document
.fnd Saved Search
.fon Font file

.gfi GFI File
.gfx GFX File
.gif GIF Image
.gim GIM File
.gix GIX File
.gna GNA File
.gnx GNX File
.gra MS Graph 2000 Chart
.grp MS Program Group
.gwx GWX File
.gwz GWZ File
.gz GNU zip

.h C definition code
.hlp Help File – Executable
.hqx Mac archiver file
.ht HyperTerminal file
.hta HTML Application – Executable
.htm MS HTML Document 5.0 – Executable
.html MS HTML Document 5.0 – Executable
.htt HyperText Template
.htx Internet Database Connector HTML Template

.icc ICC Profile
.icm ICC Profile
.ics iCalendar File
.idf MIDI Instrument Definition
.iii Intel IPhone Compatible
.inf Setup information – Executable
.ini Configuration Settings
.ins Internet Communication Settings – Executable
.iqy MS Excel Web Query File
.isp Internet Communication Setting – Executable
.it WinAmp media file
.its Internet Document Set
.ivf IVF File

.job Task Scheduler Task Object
.jod MS.Jet.OLEDB.4.0
.jpe JPEG Image
.jpg JPEG Image
.js JScript file – Executable
.jse Jscript Encoded Script File Ink Shortcut – Executable

.lnk Shortcut (NeverShowExt) – Executable
.lsf Streaming Audio/Video file
.lsx Streaming Audio/Video shortcut
.lwv MS Linguistically Enhanced Sound File
.lzh LZH DOS archiver

.m1v Movie Clip
.m3u WinAmp Playlist file
.mad MS Access Module Shortcut (NeverShowExt) – Executable?
.maf MS Access Form Shortcut (NeverShowExt) – Executable?
.mag MS Access Diagram Shortcut (NeverShowExt) – Executable?
.mam MS Access Macro Shortcut (NeverShowExt) – Executable?
.maq MS Access Query Shortcut (NeverShowExt) – Executable?
.mar MS Access Report Shortcut (NeverShowExt) – Executable?
.mas MS Access StoredProcedure shortcut (NeverShowExt) – Executable?
.mat MS Access Table Shortcut (NeverShowExt) – Executable?
.mav MS Access View Shortcut (NeverShowExt) – Executable?
.maw MS Access Data Access Page Shortcut (NeverShowExt) – Executable?
.mda MS Access Add-in
.mdb MS Access Database – Executable
.mde MS Access MDE Database – Executable
.mdn MS Access Blank Database Template
.mdt MS Access Add-in data
.mdw MS Access Workgroup Information
.mdz MS Access Database Wizard Template
.mht MS MHTML Document Document 5.0
.mid MIDI file
.mim WinZip file
.mmc Medias Catalog
.mod MODplayer Media file
.mov Quicktime movie clip
.mp1 MPEG1-audio file
.mp2 MPEG2-audio file
.mp3 MPEG3-audio file
.mpa MPEG Movie Clip
.mpe MPEG Movie Clip
.mpg MPEG Movie Clip
.msc MS Common Console Document – Executable
.msg Outlook Item
.msi Windows Installer Package – Executable
.msp Windows Installer Patch – Executable
.mst Visual Test Source Files – Executable
.mtm WinAmp Media file

.nsc NSC File (have an icon, probably associated with Media Player)
.nws Outlook Express News Message

.oft Outlook Item Template
.opx MS Organization Chart 2.0
.oqy MS Excal OLAP Query File
.oss Office Search

.p10 Certificate Request
.p12 Personnal Information Exchange
.p7b PKCS #7 Certificates
.p7m PKCS #7 MIME Message
.p7r Certificate Request Response
.p7s PKCS #7 Signature
.pcd Photo CD Image – Executable
.pcx PCX Image Document
.pdf Adobe Acrobat Document
.pfx Personnal Information Exchange
.pgd PGPDisk volume
.pif Shortcut to MS-DOS Program (NeverShowExt) – Executable
.pko Public Key Security Object
.pl Perl file – Executable
.pls Winamp Playlist file
.png PNG Image
.pot MS PowerPoint Template
.ppa MS PowerPoint Addin
.pps MS PowerPoint Slide Show
.ppt MS PowerPoint Presentation
.prf PICSRules File
.ps PostScript file – Executable
.pwz MS PowerPoint Wizard
.py Python file – Executable

.qcp QUALCOMM PureVoice File
.qt QuickTime Video Clip
.que Task Scheduler Queue Object

.rat Rating System File
.reg Registration Entries – Executable
.rmf Adobe Webbuy Plugin
.rmi MIDI Sequence
.rqy MS Excel OLE DB Query files
.rtf Rich Text Format

.s3m ScreamTracker3 Media file
.scf Windows Explorer Command (NeverShowExt, generic icon) – Executable?
.scp Dial-Up Networking Script
.scr Screen Saver File – Executable
.sct Windows Script Component – Executable
.shb Shortcut into a document (NeverShowExt) – Executable
.shf PGP Share
.shs Shell Scrap object (NeverShowExt) – Executable
.sig PGP Detached signature file
.skr PGP Private Keyring
.slk MS Excel SLK Data Import Format
.snd AU Format Sound
.snp Snapshot File
.spa Flash Movie
.spc PKCS #7 Certificates
.spl Shockwave Flash Object
.sst Certificate Store
.sta sta file (Eudora)
.stl Certificate Trust List
.stm WinAmp media file
.swf Shockwave Flash Object
.swt Generator Template
.sys System file

.tar TAR archive file
.taz gzipped TAR archive
.tgz gzipped TAR archive
.tif TIFF Image Document
.ttf TrueType Font file
.txt Text Document
.tz gzipped TAR archive

.udl MS Data Link
.uls Internet Location Service (generic icon) – Executable?
.ult Winamp media file
.url Internet Shortcut (NeverShowExt) – Executable
.uu UUencoded file
.uue UUencoded file

.vb VBScript File – Executable
.vbe VBScript Encoded Script File – Executable
.vbs VBScript Script File – Executable
.vcf vCard File
.vcs vCalendar File
.voc Winamp Medias file
.vsd VISIO 5 drawing
.vss VISIO 5 drawing
.vst VISIO 5 drawing
.vsw VISIO 5 drawing
.vxd Virtual device driver – Executable

.wab Address Book File
.wav Waveform audio file
.wbk MS Word Backup Document
.wht MS NetMeeting Whiteboard Document
.wif WIF Image Document
.wiz MS Word Wizard – Executable
.wlg Dr. Watson Log
.wm Windows Media Audio/Video File
.wma Windows media audio
.wpd WordPerfect file
.wpz Winamp extension installation file
.wri Write Document
.wsc Windows Script Component – Executable
.wsh Windows Script File – Executable
.wsh Windows Scripting Host Settings File – Executable
.wsz Winamp extension installation file

.xif XIF Image Document
.xla MS Excel Add-in
.xlb MS Excel Worksheet
.xlc MS Excel Chart
.xld MS Excel 5.0 DialogSheet
.xlk MS Excel Backup File
.xll MS Excel XLL
.xlm MS Excel 4.0 Macro
.xls MS Excel Worksheet
.xlt MS Excel Template
.xlv MS Excel VBA Module
.xlw MS Excel Workspace
.xm ScreamTracker media file
.xml XML Document
.xnk Exchange Shortcut (NeverShowExt) – Executable?
.xsl XSL Stylesheet
.xxe XXencoded file

.z Compressed file
.z0 Z0 file (ZoneAlarm)
.z1 Z1 file (ZoneAlarm)
.zip Zipped file
.ZL? ZoneAlarm Mailsafe Renamed File

ZoneAlarm Mailsafe will quarantine mail attachments and changes
their extension. The conversions are:

.ADE to .ZL0
.ADP to .ZL1
.BAS to .ZL2
.BAT to .ZL3
.CHM to .ZL4
.CMD to .ZL5
.COM to .ZL6
.CPL to .ZL7
.CRT to .ZL8
.EXE to .ZL9
.HLP to .ZLA
.HTA to .ZLB
.INF to .ZLC
.INS to .ZLD
.ISP to .ZLE
.JS to Z0
.JSE to .ZLF
.LNK to .ZLG
.MDB to .ZLH
.MDE to .ZLI
.MSC to .ZLJ
.MSI to .ZLK
.MSP to .ZLL
.MST to .ZLM
.PCD to .ZLN
.PIF to .ZLO
.REG to .ZLP
.SCR to .ZLQ
.SCT to .ZLR
.SHS to .ZLS
.URL to .ZLT
.VB to .Z1
.VBE to .ZLU
.VBS to .ZLV
.WSC to .ZLW
.WSF to .ZLX
.WSH to .ZLY

View Comments

Published by
Ian Matthews

This website uses cookies.