Creating a text file virus

Okay, you’re thinking, so what’s the big deal? Viruses aren’t exactly uncommon. Well here’s what surprised me; this virus is a text file. The sort of file you open and alter with Notepad. Admittedly a rather techy looking text file but a text file nonetheless. But how can a text file be a virus? And why should NAV get so upset?

“There is not now, and never will be, a language in which it is the least bit difficult to write bad programs.

A couple of months ago reader Warrick Nelson sent me a virus. I hasten to add there was no malicious intent. Warrick sent it to me as a text file attachment and was curious about it as it had arrived attached to a message he’d been sent warning, ironically, about viruses.

Warrick’s no fool. He has his email program set to not run scripts automatically, so when the attachment arrived it did nothing. Which is just as well because when I asked Norton AntiVirus to check it out it threw up its hands and cried “Danger! Danger! Alien intruder!”

Okay, you’re thinking, so what’s the big deal? Viruses aren’t exactly uncommon. Well here’s what surprised me; this virus is a text file. The sort of file you open and alter with Notepad. Admittedly a rather techy looking text file but a text file nonetheless. But how can a text file be a virus? And why should NAV get so upset?

Experimental View

Before we go any further you might like to try a little experiment. You’ll need to have Internet Explorer version 5 (or later) installed and you should open My Computer and check that you’ve deselected “Hide file extensions for known file types” under View·Folder Options·View.

Right-click the mouse on an empty space on the desktop, choose New and select Text Document. Windows will create a new file with the default name “New Text Document.txt”. Change the extension at the end of the file name from .txt to .hta and press Enter. (Windows will ask you if you’re sure about that; click Yes.) Now double-click the file. Whoa!

The three letter extension at the end of a file name is used by Windows to determine how the file is to be handled. A .txt file will cause Notepad to be started and the contents of the file to be read into it. An .html file will do the same for your browser, a .doc file for Word, a .wav file for Sound Recorder, and so on. So isn’t this empty file just starting some unknown application?

Change the file’s extension back to .txt, double-click it again (to start Notepad) and enter the following code:



    <TITLE> Surprised…? </TITLE>


    <BODY> This isn’t just a text file!


    <BUTTON onclick=”self.close()”> Exit




Now save the file, close Notepad, change the extension to .hta again and double-click it once more. The result is that your simple text file has suddenly become a fully fledged, stand-alone Windows program. Wow! (see figure2)

You’ll have to excuse me if this is all old hat to you. Maybe I’ve had my head in a bucket for the last year or so but it’s certainly news to me. With Internet Explorer 5 you not only get a browser and email client, you also get a fully fledged programming language that requires only Notepad to code real-life Windows programs.

HTA stands for HTML Application. That’s what you were actually writing in Notepad. But, unlike ordinary HTML, .hta programs can be run without a browser as standalone applications. HTA files can be sent to you from web pages or via email and run by default. It’s not difficult to see their appeal to virus writers and the like since, in Microsoft’s own words, “Your application is fully trusted and free from the restrictions placed on web pages for security reasons.” (Gulp!)

Compiled Languages

There are essentially two types of programming languages; compiled and interpreted. Compiled languages undergo a “build” process before their programs can be used, but when they’ve done so they don’t require any other assistance to run. The human-readable program code is converted into an optimised form that the computer best understands. Windows executable’s (.exe files) are compiled programs. Interpreted programs on the other hand require the assistance of a third-party. When you double-click the file, this third-party is started and passed your program code. It then sets about converting the English-like statements into an application. This happens every time your program is run. It’s obviously less efficient, especially for really big or commonly used programs, but effective nonetheless. HTAs are interpreted programs.

The official name of the virus Warwick sent me is Wscript.KakWorm.C. Unlike its parent, Wscript.KakWorm, it’s neither particularly common nor particularly dangerous. But that doesn’t stop it setting itself up in your Registry to start up each time you boot Windows and attaching copies of itself to all your outgoing emails.

Well to do all that, you’re thinking, there must be a whole lot more to it than the simple example I’ve given here. There is. Along with regular HTML statements, HTAs can incorporate a scripting language called JScript. JScript’s pretty powerful.

One Microsoft site shows how you can use it to write a basic web browser with little more than 40 lines of code.

The bugs that allow the KakWorm family to proliferate have been patched, but security concerns about the whole .hta concept keep surfacing. If you want to be profoundly disturbed you could visit Gregori Guninski’s site for his latest discoveries in reading, writing and executing local files using scripting languages and Internet Explorer. He even includes sample code, demonstrations and information on how to protect yourself.

If you fancy writing a few scripts yourself, take a look at Microsoft’s introduction, or the more detailed coverage. Here you’ll find an introduction to the JScript language and a complete command reference.

Have fun. Just don’t send me your results!

What can DMI do for me?

If you’re an information technology manager in a tangle over maintaining numerous PCs, don’t stress: DMI-compliant systems can help your networked environment run smoothly and efficiently.

DMI, or Desktop Management Interface, enables network administrators to remotely troubleshoot, upgrade and catalogue office PCs.

The DMI standard was created by the Distributed Management Task Force, an industry organisation concerned with simplifying PC management. Management software, such as Intel’s LANDesk Client Manager, HP’s TopTools and Dell’s OpenManage, can communicate with a DMI-compliant system’s motherboard, hard drive, and network card to determine processor temperature or potential hard drive failure. If a DMI-compliant client system has a Wake-on-LAN-capable network card, an IT manager can start it up remotely and perform diagnostics. And that’s just the beginning.

Stacy Hand, group product manager of managed desktops at Gateway, describes how a DMI-compliant system with a blank hard drive can be plugged into a department LAN, booted from a drive image on a server, then directed to download an operating system and applications. DMI-compliant systems can also allow an IT manager to upgrade multiple PCs during off-hours.

Not long ago, says Hand, there weren’t enough managed PCs in most offices to make remote management effective. However, there are now more and more systems with management software vying for general use.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

PC World Staff

Unknown Publication
Show Comments

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?