The CLSID file

I just got an email from a friend with an attachment that didn't have a file extension. I deleted the email without opening the attachment. If you ever get an email from someone you know with a file attached that doesn't have a file extension, here's what to be aware of:

Why is this type of content dangerous? Attachments that end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files. This method may also circumvent attachment checking in some email content filtering solutions.

Which viruses made use of this method? There are no well-known successful worms or viruses that use this method to trick the user into running an email attachment. However, this method is ripe for exploitation and can be used by hackers to inject Trojan horses inside a corporate network or in future viruses.

How can I protect against this in GFI MailSecurity? Enable the email exploit engine from the GFI MailSecurity configuration. This test is caught as CLS-ID file extension (ID:1).

Will a worm that uses this method run automatically? Attachments are not normally executed automatically. However many users are very easily fooled into running dangerous files as proven by worms such as LoveLetter. Attachments using a CLSID extension may further entice the user into running them as their real extension is hidden.

How does it work exactly? The CLSID file in the example is actually an MDB file. MDB (Microsoft Database) will execute code in the same way as EXE and VBS files, and should therefore be treated as dangerous.

Repa

You said

Quote :

How can I protect against this in GFI MailSecurity? Enable the email exploit engine from the GFI MailSecurity configuration. This test is caught as CLS-ID file extension (ID:1).

Can you explain that?. I have not idea what the GFI mail seucrity configuration is.


You said

Quote :

The CLSID file in the example is actually an MDB file

what example?

Fay

I must be really tired, you used a LOT of big words and my brain missed most of what you said. Good questions Faye.

Repa,

Thanks for the information. I am going to look into a bit when I get a chance. Does kind of concern me.

Good luck on you taxes!!!

Fay

I need to do some more reading on this. From what I read, the clsid's can be on files that have an extension - like .txt etc, but the clsid will not show. So you click on a file thinking it is a .txt file - and it executes soemthing pointed to by the clsid - scary.

I need to try the tests again. I selected the ones that I thought might apply to me and ran the test. Most of them were caught by my ISP's filter as a Virus and was directed to their message center. It had flagged them as a virus insread of jut as junk mail so would not even let me select them to be delivered. I kind of wanted to see what the clsid file looked like.

I don't know what happened to a couple of the tests- I did not see them in my inbox or the message center and Avast did not give a warning message. So dont know where they went. I went back and tried to run the test again to make sure I had selected them, but it didn't work - said it had already been done.

I may have to wait a while and then try again.

I want to try to find out if there is some way to make the clsid on the files show up when you look at the file name.

I always thought a .txt file was safe, now I will be paranoid about opening any file


Fay

fay47 wrote:

I need to do some more reading on this. From what I read, the clsid's can be on files that have an extension - like .txt etc, but the clsid willI always thought a .txt file was safe, now I will be paranoid about opening any file

LOL, I already am paranoid! Yea, and CLSID files can have no extention too, or one you can't see. My computers are not toys and I don't take any chances. I'll dump any email from a friend that doesn't look right. Have received emails from friends that a hacker got into their account and sent the email with malicious links, suspicious files, etc. There is even a way to have malicious code in the body of an email and therefore recommend that people using an email client on their computer like Outlook make sure their preview pane is not enabled. That is also why I recommend going to the ISP's email web page or signing up for services like hotmail instead of using an email client on the computer.

Too bad we can't just enjoy our computers instead of having to worry about all the people out there that just want to cause problmes for others.

Fay