Beware the PIF!

24 Oct 2000
Virus News

A Dangerous Monster Can Hide Within Harmless Files

Cambridge, UK, October 25, 2000 - Kaspersky Lab Int., an international anti-virus software development company, considers it necessary to draw users' attention to a threat that programs with a PIF extension can pose to the normal operation of personal computers and corporate networks. Because of the lack of awareness of this problem, Kaspersky Lab has begun to receive numerous reports of virus infections caused by this type of malicious program.

PIF-files (Program Information File) are the standard Windows files that are used by the operating system to store information about start-up properties for DOS-applications. PIF-files contain the necessary application's details, such as its name, size, location, creation and modification date, default screen size, memory usage, idle sensitivity, etc. This Windows feature enables users to avoid making multiple adjustments to the DOS-application operating mode each time they are started. It is enough to set up the program once and save the configuration to a PIF-file.

Therefore, PIF-files contain only technical details that provide ease-of-use for users working with DOS-applications under Windows. It appears as though there is no need to worry about malicious programs that may be planted inside PIF-files. However, this mistaken belief makes users careless when dealing with PIF-files. Some people arbitrarily run PIF-files received from untrustworthy sources, without performing a comprehensive anti-virus check, thinking that no malicious code could hide inside. In fact, PIF-files can contain hidden executable modules, for instance, BAT, EXE or COM programs that will be automatically executed after the host file is run.

An illustrative example of planting malicious code inside a PIF-file is the world's first PIF Internet worm 'Fable' that was discovered recently. It arrives to a computer within an e-mail message having a random subject taken from one of the following variants:

Fable
Something You Should Read
Very Important That You Receive This

The message body contains just one phrase that is randomly chosen from one of these:

A nice little fable
Wanted to make sure you received this

In addition, there is an infected FABLE.PIF file attached to the message. Once it is started, the worm creates a set of supplementary files, securing its constant presence in the system and distributing its copies through IRC channels and e-mail. The e-mail spreading routine follows the standard for the majority of Internet worms: 'Fable' creates a VBS file that, unbeknownst to the user gains access to the Outlook e-mail program and sends out copies of the virus to all the recipients from the Outlook address book.

Another good example of the misuse of PIF-files is the Internet worm MTX that was originally discovered in September and caused an epidemic in many countries worldwide. The infected files it distributes via e-mail have a PIF extension. In fact, these are ordinary Windows EXE-files that were intentionally renamed. When such a "PIF-file" is started the original malicious code is automatically executed causing the system infection. Users, who are not aware of the potential threat of PIF-files, are tricked into clicking on the attachment.

Kaspersky Lab has not received any reports of the 'Fable' worm being 'in-the-wild'. "We consider there is no reason to panic. We classify this worm as a proof-of-concept rather than something that poses a real threat," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "However, we would like to draw to the user's attention that PIF files are not as harmless as they may look. Besides ingeniously hidden PIF-viruses, they can carry other types of malware. We recommend users not run these files, especially if they are received from an untrustworthy source."

Further details on the 'Fable' worm are available at Kaspersky's Virus Encyclopedia. Protection against this worm has already been added to the daily update of AntiViral Toolkit Pro (AVP).

AntiViral Toolkit Pro can be purchased in Kaspersky Lab online store.