SHS files: don't click on 'em, was Re: Hackers please help

From: Michael M. Butler (mmb@spies.com)
Date: Sat Feb 22 2003 - 20:01:20 MST

  • Next message: Gina Miller: ""Well you say it's your birthday, it's my birthday too!""

    I've been using BigFix (see bigfix.com) for the last couple of days, and here's
    a new one on me:

    SR News:Warning about SHS files in Email

    --------------------------------------------------------------------------------

    Are .SHS (scrap object) files a threat?
    Yes, they are. We have had some customers report a trojan in the form of scrap objects (*.SHS files) arriving via email attachments. If you execute one of these files, your PC could become infected or more likely attacked by a trojan (a destructive program). (These customers happened to be AOL users but this threat applies to anyone that uses Windows 95/98 or NT). If you receive an unsolicited email with an attachment of a file with the extension SHS, you should simply delete it.

    What are .SHS (scrap object) files?
    Scrap objects are MS Windows OLE/2 files that are essentially packages that can contain contain almost anything. This could easily include code that will delete files, directories or execute any program (DOS or Windows). While downloading scrap objects is not dangerous, you must make sure you don't click on the file. Windows will automatically unpack and attempt to open or execute whatever is contained in the scrap file if you click on this object. If you receive an unsolicited email with an attachment of a file with the extension SHS, you should simply delete it.

    Can my Anti-virus Software Protect me against .SHS (scrap object) files?
    Not really! It takes no skill whatsoever and only a few seconds to create a brand new destructive scrap object. A scanner can certainly look for and warn you about destructive scrap objects that have already been distributed but it is simply too easy to create new objects (or modify existing objects) that will be missed by any scanner. The good news is that it's extremely easy to protect yourself against this particular threat without purchasing any new software (details below!)--although we would certainly like you to purchase Integrity Master so you can recognize known viruses distributed this way and detect any damage that would be done by executing a scrap object (something other anti-virus software can't do!). Even if you scan a scrap object, it may still contain an undetected virus or a trojan. So far, we have seen a number of trojans distributed in this manner. Read about Trojans and other threats to your data

    What do I need to know about .SHS (scrap object) files?
    Treat these files as you would any other executable file. If you execute one of these files, it has control of your PC and could damage any or all of your programs and data.

    Further, you should make sure you don't execute these files automatically upon download. If you use Microsoft's Internet Explorer (IE), make sure you do not uncheck the "Confirm after download" option.

    This "Confirm after download" issue is not limited to scrap objects but apparently can result in automatic execution (opening) of other files (e.g., Word documents) upon download. This option can be set using either Windows (95/98) Explorer (Select View/Options/Filetypes then select "scrap object" then Edit) or with Internet Explorer (IE) (Select View/Options/Programs/FileTypes then select "scrap object" then Edit). You want to make sure this option is checked for any executable objects.

    Please do not forward SHS warning message
    There is a hoax-style warning about receiving email with an SHS file attached. While warning message is correct when it warns you that if you download and execute the SHS attachment, you could be attacked (by a trojan) or infected (by a virus), this is nothing new. Anytime you download and execute something (e.g., a .BAT file, .EXE file .COM file, .DOC file etc.) you are vulnerable to an attack! It asks you to forward the warning to "all your friends"; please do not do this. Feel free to warn your friends that that SHS files are executable or to refer them to this site, but please don't forward anything that says to forward to "all your friends".
    There are two important points:

    Scrap objects are not well known to be executable so a user is more likely to download and execute these. Treat *.SHS files (scrap objects) as you would any other executable object (such an .EXE file or MS Word document) and do not accept these files from anyone (unless you specifically requested the files.

    Users of Internet Explorer must make sure that "Confirm after download" is checked. If it is unchecked, it can makes it much more likely that a scrap object (*.SHS file) will be executed when it is not intended (when simply a download is expected).

    How do I solve the problem of .SHS (scrap object) files?
    It's easy! There's absolutely no reason to accept this type of object via email or web download. Simply delete any such attachments that arrive in your mailbox and don't download this type of file from the net unless you have some specific need for this. (We have checked to verify this and there is not a single legitimate person that we are aware of that is sending people SHS files or requiring them to be downloaded from their web site.

    --------------------------------------------------------------------------------

      Order your registered copy NOW via the WWW!
    Learn how Integrity Master can protect your PC

    --------------------------------------------------------------------------------

      Back To the Virus Hoaxes Page

      Back To the Virus News Page

      Back To the Stiller Research Home Page

    --------------------------------------------------------------------------------
    Write to Stiller Research: support@stiller.com
    --------------------------------------------------------------------------------

    Copyright © 1998 Stiller Research.
    Document Last Modified August 12, 1998.



    This archive was generated by hypermail 2.1.5 : Sat Feb 22 2003 - 20:03:35 MST