About executable files

by Rich Pasco

Note: Android users see also the special section below.

Summary

An executable file (sometimes called an app—short for "application") is a computer file containing step-by-step instructions in a form that the computer can follow. By contrast, data files contain just text or pictures which are not executable. Executable files are essential to using computers, but when one arrives by e-mail, be careful! When you "open" an executable file, you surrender complete control of your computer to its distant and unknown author.

Never execute ("open") executable attachments received in unsolicited e-mail. Just because your virus scanner doesn't flag it does not guarantee that it is safe—it could mean that the virus is newer than your virus data file. Just because it apparently came from a trusted friend doesn't mean that it's safe—it could mean that your friend's computer was infected without his/her knowledge, or it could mean that your friend's address was forged by a third-party sender. (Often, a virus forges its "From:" address, using addresses in its victim's address list.)

What does "open" mean?

Some publishers of computer operating system have adopted a confusing generalization of the word "open" to mean two different things, depending on the type of file. To "open" a data file means to load the data from the file into an appropriate application program already on your system (e.g.word-processor, spreadsheet, or image viewer), but to "open" an executable file means to perform the operations as indicated by the instructions in that file. Further, they make it equally easy to open either kind of file, simply by double-clicking on an icon for it.

When you open an executable file, your computer does exactly what it says inside. You can't read it ahead of time to predict what it will do; you just blindly trust its author.

Executable files are everywhere

You can't use a computer without opening executable files. Every application you run, whether it's your e-mail reader, your web browser, your word processor, or your spreadsheet, begins with an executable file. As long as you get the executable file directly from the application's publisher, you're pretty safe. In running such an application, you place your trust in the publisher that it will do what it is advertised to do. Sometimes it doesn't work quite right (this is called a "bug") but we trust that it won't do anything malicious.

Unsolicited executable files

The problem with unsolicited executable files received by e-mail or some other round-about route is that we really don't know where they originated. Reputable software publishers never send updates by e-mail. Microsoft doesn't.

A "virus" is defined as "that which tricks its host into making more copies of itself." This definition applies to biological viruses (like the common cold), to e-mail hoaxes (which persuade the reader to forward them to everyone) and to computer viruses (which may ride in executable files).

Because executable files have total control over your computer, they are very powerful. This is usually a good thing! But this power allows them to do bad things too. Viruses take advantage of this fact. For example, an executable file can:

  • Modify any other file on your disk, including, of course, the good executable files that you depend on, for e-mail, web browsing, word processing, etc. For example, a virus can modify your "good" executable files to embed copies of itself into them.

  • Manipulate your computer as if you yourself were doing it. If you can delete your spreadsheet file, so can an executable file. An executable file can also send e-mail in your name as if you sent it yourself. Or it can send e-mail in the name of your friends, to your other friends.
So, when you get an executable file in an e-mail from a friend, you don't know whether your friend personally sent it to you, or a virus running in his computer did, or a virus in a friend's computer did. And you don't really know what it will do until you have run it, and by then it is too late.

Suppose you talk to your friend on the phone and he admits deliberately sending you an executable game that someone else had forwarded to him. He says it didn't trash his system. Are you safe then? Safer, perhaps, but not completely safe. It didn't trash his system yet, or at least he's not aware of any damage it might have done. Does that mean it's benign? Remember, your computer and all the files in it are at stake.

The cover E-mail messages bearing virus files are worded persuasively to trick the recipient into opening their executable payload. Some purport to be in reply to a message you recently sent. Another purports to be a tool conveying "immunity" to the very virus it bears, and tells the recipient to ignore any warning from your anti-virus utility and open it anyway. How gullible do they think we are? As P.T. Barnum said, "There's a sucker born every minute."

A "bounce" message comes from a mail server when an e-mail message cannot be delivered as addressed. Legitimate bounce messages quote the message which could not be delivered, so that you can (and should) correct your addressbook, but be careful: You may receive a bounce message from mail you never sent, with an executable virus-bearing attachment. This can happen when a virus, operating in a third-party victim's computer, forges your return address as it attempts to send itself to a bad address from its victim's addressbook. The receiving mail server, unable to deliver the virus, "returns" it to you! Or, it may be that the entire bounce message is a phony, just another persuasively-worded cover message designed to trick you into opening the payload attachment.

Virus scanners

A software "virus scanner" comprises two parts. The first is an executable file which tells your computer how to look for viruses. The second is a data file with descriptions of what recent viruses look like (what to look for). A virus scanner is not iron-clad protection, but it may help, if (a) it is properly installed, so that it scans every executable file as you open it, before your computer surrenders control to it, and (b) its data file is up-to-date.

Each new virus usually claims a number of victims before one of them forwards a copy to the publishers of the virus scanner, who then update their data files to recognize it. No matter how fast the publishers respond (usually within a few days), this doesn't do any good if you (the end user) don't regularly download and install the updated data files. The newest virus scanners can download their own updates automatically, but even so, there is a delay involved. Modern viruses depend on this delay, and spread quickly while they can.

For these reasons, it is best to not rely on a virus scanner, even though it is a good idea to have one. Instead, practice "safe computing" and don't open executable files received in unsolicited e-mail.

Identifying executable files

One of the hardest things for a novice to figure out is which files are executable and which are just data. In an MS-Windows computer, many but not all executable files end in the extension .EXE. Some end in .BAT, .COM, .CPL, .DLL, .JS, .JSE, .PIF, .SCR, .VB, .VBE, .VBS, .WS, .WSC, .WSF, .WSH and a few others. Worse, some Windows systems are set to hide the extension, which makes it even harder to recognize an executable file. To fix this, open Control Panel, Folder Options (if you use Category View, you'll find it in the category "Appearance and Themes"). Select the View tab. In the Advanced Settings box, under Files and Folders, Un-check "Hide file extensions for known file types." and un-check "Remember each folder's view settings." Then click on "Reset All Folders," "Yes," and "OK."

In an insidiously sneaky trick, some virus writers name their executable file with a false extension, which looks like the real extension if the operating system hides the real extension. For example, "picture.jpg.vbs" is an executable file, but it will look like an image file (picture.jpg) if its real extension (.vbs) is hidden.

In another insidious trick, virus writers sometimes name their executable file to resemble a popular web site. For example, "yahoo.com" is a popular internet domain, but it could also be the name of an executable file. The ".com" extension has denoted executable files since the early days of IBM PC DOS. Its other use, to indicate commercial internet domains, is an unfortunately confusing coincidence. It is important to distinguish between a file name and an internet address.

Further, some applications will execute code contained in their data files. For example, Microsoft Word documents (.DOC) and templates (.DOT) may contain macros, small segments of executable code. It is a good idea to configure such applications to not automatically run macros embedded in a file when opening it.

While HTML files (extension .HTM) are, in general, not executable, some can contain JavaScript code which is. Microsoft Internet Explorer allows JavaScript code in an HTML file to control the Windows Scripting Host.

It is safe to open JPEG images (extension .JPG)—well, mostly. For a while, the Microsoft code that displayed JPG files was vulnerable to executing code in carefully constructed JPG images. But this has been fixed and the fix distributed through Microsoft Update (on your Start menu). Users who have been keeping their systems up to date should no longer be at risk.

One malicious virus arrives by an e-mail whose cover letter, designed to trick you into executing the attachment, tells you that you may already be infected by a virus and you must run the attached patch to protect yourself. Don't believe a word of it! The e-mail plays a lot of tricks to avoid being detected by your virus scanner. The cover letter is not sent as plain text but as an image. The malicious payload (the so-called "patch") is enclosed in a password-protected ZIP file, with the password shown in the cover letter. And every copy of the virus has a slightly different image and a ZIP attachment with a different password. This makes it very hard for a virus scanner to look inside the ZIP and detect the virus.

Non-Windows operating systems

All of the foregoing could apply to other operating systems, like Macintosh OS, Linus, Android, and iOS. No system is immune to viruses, although virus writers usually target the most popular systems. For example, a Mac is usually not affected by a virus targeted at Windows victims. Executable files for other OS's look and behave differently, but the principles are the same, and everyone should be cautious. See also the special section on Android, below.

Common misconceptions

"I have a virus scanner on my computer so I'm safe."

You're safer, but not safe. New malicious viruses and worms are released every day, faster than the virus-scanner publishers can update their code to recognize them. You are vulnerable to viruses newer than your virus-protection software. It takes a good measure of common sense to guard against viruses which it might not detect.

"I tried to open an attachment but lucky for me it failed"

Don't breathe that sigh of relief yet! Your attempt to open the attachment is likely to have infected your computer with a virus, even if you had no evidence of success in opening them. Virus writers often include a confusing, bogus failure message of some kind in order to give their victims a false belief that they were not infected.

"If I had a virus here, it has not done anything."

The absence of symptoms does not prove you're not infected. Most viruses are stealthy, doing their dirty work without obvious symptoms... at least not until severe damage has already been done.

"I did not have the suspicious message on the computer when I wrote others so, if was a virus, I didn't pass it on."

You cannot conclude this either. A virus can infect your operating system the very moment you first open it, after which it doesn't matter if you delete the message via which it arrived; your system is still contagious. And it doesn't require you to personally launch e-mail for it to spread to your correspondents; it can be busily sending out copies of itself while you're asleep.

Trojan Horses and Spyware

Not all unsolicited executable files are viruses. A virus is that which tricks its host into making more copies of itself. Programs without this self-replicating property may pass a virus scanner, but that doesn't mean that they are safe to open.

Another class of program is the Trojan Horse. Named after the famous legend, a Trojan Horse purports to be something fun or useful, but secretly carries out a second, not-so-friendly mission. For example, executable attachment posing as an animated greeting card may also install software that sends your passwords and other personal information back to its sender. One example is Lover Spy. Programs of this general class are called spyware.

As distinct from a virus scanner, a spyware scanner is specifically designed to look for spyware. One of the most popular is Ad-aware from LavaSoft.

Android

The above text was written when Microsoft Windows was the most common operating system. While most of it is applicable to Google Android as well, there are some special considerations specific to Google Android.

Some users find the Android permissions asked by some applications (“apps”) (e.g. Facebook) to be scary. You can worry yourself sick worrying about what an app could do, but if you run only apps from well-known publishers, you can trust that they will do only what they need to do to do their job as advertised.

Basically, when you run any app in your computer, you turn full control of your computer over to its publisher, whether that be Google, Apple, Adobe, Microsoft, Facebook, or whoever. If you only install software from publishers you trust, then you are safe.

That article was mostly written for Windows user. On a Windows machine, running an app gives it permission to do everything.

In publishing Android, Google tried to restrict that a little. Instead of an all-or-nothing approach to permission, Android has a long list of categories. However, the length of that list has made it scary to some users. For example, for Facebook to post a picture you want to share, the Facebook app must be able to access files on your device. "Access my files?" you ask. "Well, I don't want it accessing ALL my files." You have to trust that it won't. Facebook will access only the files you ask it to, like that picture you want to post.

Below are some articles about Android permissions.

References

Index to all of Rich Pasco's articles on e-mail and viruses

Rich Pasco's home page

Copyright © 2001-2002 Richard C. Pasco. All rights reserved.