Monthly Archives: May 2009

Hidden files and extensions

Making hidden files visible can sometimes be not as straight forward as expected and can be a bit confusing at times. Malicious files quite often have their file attributes modified making it harder to detect. You might encounter files with the system, read only and hidden attributes set. When system and hidden attributes has been set then these will need to be reset first otherwise resetting other attributes will fail. Windows Attrib command can be used to reset files as shown below. Using attrib with all the switches is the best way resetting a file and avoiding any errors.

C:\>attrib virus.exe
SHR C:\virus.exe

C:\>attrib -h -r virus.exe
Not resetting system file – C:\virus.exe

C:\>attrib -s -r virus.exe
Not resetting hidden file – C:\virus.exe

C:\>attrib -h -s -r virus.exe

C:\>attrib virus.exe
C:\virus.exe

Windows by default hides known file type extensions. For us to view all extensions we need to make a couple to changes to our system. In Windows 2000/XP, we need to open Windows Explorer and select “Tools”… “Folder Options”. Next click the “View” tab, select “Show hidden files and folders” and also untick “Hide file extensions for known file types”. Once applied all extensions will now be visible. There are still some extensions which will not be visible so changes will need to be made in the registry. For example the PIF file is one such extension. A PIF file is basically designed to hold information that will help an MS-DOS application know how to run in a Windows environment. Virus writers sometimes rename an executable file with a PIF extension. For example virus.exe could be renamed to virus.txt.pif. Since it ends in a PIF extension it will not be visible to the user and only virus.txt will be displayed fooling the user as being a text file.

In order to display the PIF extension we need to go into the registry and drill down to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile and delete the “NeverShowExt” entry. Once deleted you will need the system to be rebooted to take effect.

The text below can also be saved as a reg file and imported by double-clicking on it without carrying out the above manual instructions.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile]
“NeverShowExt”=-

Reference:

http://www.pctools.com/guides/registry/detail/627/