Back to Cattail.Nu Index
Back to Story List
Copyright Information


Email Attachments
Copyright by Theresa L. Ford
Permission required for copying or distribution.




My dad sent me an email with "xmascottage.shs" attached to it. Here's what went through my head and my reply to my dad:

So here it is, holiday-pass-around-cute-programs time. It's the elf toss, the santa shooter, the string of christmas lights for your desktop. All sorts of executables flying around faster than the reindeer can get santa around, and I am still sorry I just lost my Barbie's Dear Santa letter I was saving to pass around this year.

It's also time to start paying attention to what sorts of things we open. So, I say to myself, "Oh! Something from Dad. Bet it's cute." But those niggling questions surface, "Do I open it? Is it really from Dad? Is it socially engineered to make me think it's from Dad but really isn't?" So, being the curious IT-Department type with a fascination with trojans, virii, and other software intent on wiping out my vacation pictures, my stories, my checkbook tracker, my email archives, my databases, my games, and my work, I must really consider files, both downloaded and received.

So here's what I did. Let's see, what is it? xmascottage.shs . Sounds like a cute little Christmasy thing. Probably harmless, given the time of year, but that's becoming less reliable as evidence, because if I were a person intent on destroying your pc, things would be timely unlike that I-Love-You virus that missed its Valentine's Day deadline (what happens I guess when you fall behind schedule I guess).

After all, there's no message text. Email virii tend to come in two forms (no message text or badly written message text). Once again, though, this reasoning is becoming less reliable as evidence as I think on how I would do it if I were that sort of person, which I'm not. Well, it's from Dad, I should verify that Dad did indeed send it, so no big deal, but the lack of personal text readily identifiable as from Dad definitely counts against my opening it.

Next. That extension. shs. Never heard of it. Must be a windows system file of some sort. My reasoning: It's something that whoever started it around expects most people to be able to open and view it and it's not one of the usual, so it's likely something like that really awesome .hta. .hta files are windows system files that run scripts without user prompts useful for installing programs for users without giving them a chance to select the wrong options. The virii had to stop using it because Microsoft put out a patch to block .hta's from running automatically in Outlook Express. (Good grief?! Have I installed that here? Would it block this thing if .shs uses that same hole? Drat, better check because it would already be too late because I've viewed the body of the email! Good thing I have Norton Antivirus running!)

So, back to that extension. What is an .shs? Ah, the wonders of the world wide web! Look what it turns up:

http://www.helpdesk.umd.edu/virus/security/removeshs.shtml

A blurb about how to shut these off so they can't be used for virii. Well, doesn't that just give me a warm fuzzy in the pit of my stomach? However, the Microsoft blurb on it (saying it is a scrap file):

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q138275

is somewhat heartening. Except, um, that doesn't look like it would actually run or do anything at all. Why is it sent to me as an attachment? Well, this definitely counts against me opening it.

Ah, wait. Looking down the rest of Yahoo's response when I searched on "+shs +extension", it seems that you have to have your machine configured to show it or you won't even see it. Well, good thing I already had that on. I really hate when Microsoft hides things from me (like extensions, system files, hidden files, and directory paths). Shoot, I'm smart enough not to delete system files, right? (Well, maybe not, but I know enough to learn from it and go on living and pretend I didn't do it when asked by coworkers what happened.) Anyway, I particularly like the blurb about files like readme.txt.shs will show up as readme.txt if you have the file extensions set up to make your life less complicated.

Ah, but meanwhile, I can see a bunch of my friends and co-workers not having that level of detail, so if it is a virus, it's going to spread. (long sigh here) Hopefully Norton will catch it, or else I'm going to get lots and lots of calls all day long from people asking for help because they weren't thinking.

So, let's see what the web turns up for that specific file, now that I know the extension gives me the shakes. Hrm. That's promising. Only 4 entries, only 1 of which seems to have anything to do with something vaguely software-ish. A geocities site that is listing a bunch of other Christmasy type things in it's basic Yahoo information. That means it's probably not a virus, because most virii show up with multiple sites warning you (including Symantec's wonderful site):

http://www.symantec.com/avcenter/index.html

I had already read down the list of new virii today, though, and I didn't remember seeing a christmas one, or one I got an email warning about earlier (which is why I was checking the new virii releases in the first place). Do people ever check their warnings before wildly forwarding them all over the net clogging up email servers? In any case, that xmascottage.shs wasn't a new one (or it is *really* new), and if it were an old one, the basic Yahoo search would probably have turned up more websites. Ah, I better do a quick check in Symantec's archive anyway. Woo! No entry.

But still, geocities sites aren't exactly what I would consider a great download resource (lots of unchecked sources as anyone can get a geocities site for free), and probably a breeding ground for trojans.

Now, let's do a quick look at the email properties and make sure it *really* came from Dad (email addresses can be spoofed, you know). Good. It actually came from my dad's work mail server. A quick scan through the message source just shows that the file is a compiled executable, so there's no real way of knowing anything about it, which is not surprising.

Also, the recipient list isn't very suspicious. It's a small list, and I know most of the folks on it. It's also not to "undisclosed" though more people are doing that routinely when they send jokes and non-work stuff around at work to keep people's email addresses private. There was some story going about where someone infiltrated a group of friends by pretending to know various members because he got their address from a group-mailing. That just sounds idiotic to me. Mostly, though, I think it's because people don't want their name to show up when someone forwards the joke/whatever and is too lazy to strip out the header garbage.

So. Let's see: Known sender: Good. No message text: Bad. Weird extension: Bad. Possible impact: Unknown. No Symantec entry on file: Good. No cascading warning websites: Good. Recipient list: Good. Message source: Indeterminate. Likely original web source: Not reliable.

That leaves the most important check still do be done:

Dad, did you send this to me? Did you open it? Did you check it for virii? What is it? Is it worth risking everything I've done since my last backup?