Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Anyone seeing CLSID files being mailed

From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 24 Mar 2004 09:27:54 -0500
In the context of renaming 'dangerous' filename extensions in central
email (to reduce viral propagation), we're curious if anyone's yet
seeing 'CLSID' files?

Such a file is 'magic' to Windows Explorer merely by virtue of its
name, and so can trigger explorer to run a program w/o user doing
anything beyond letting explorer list the file in a folder.

Here's a benign example:  Create any file, even an empty one, and then
rename it to:

   an-example-name.{2227A280-3AEA-1069-A2DE-08002B30309D}

When viewed in Explorer (filespace explorer, not IE), it should look
just like your "Printers and Faxes" folder.  Had its name been related
to the CLSID of a more abusable program (e.g. cmd.exe), much more is
possible.

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: