Kaspersky Lab Warns Over PIF Format Files

As
new variants of the infamous ILOVEYOU virus continue to arrive on
users' PCs with monotonous regularity, Kaspersky Lab has warned users
to be on the lookout for a new generation of malware using the
program information file (PIF) file format.

The Russian IT security specialist said that while there are some
quite legitimate files being sent by e-mail with the PIF file
extension, PC users should nevertheless be very wary of any file with
a PIF extension.

PIF files are standard Windows files that are normally used by the
operating system to store information about start up properties for
DOS-applications.

According to Kaspersky, PIF files contain the necessary applications'
details such as its name, size, location, creation and modification
date, default screen size, memory usage, idle sensitivity and so on.

This Windows feature, the firm said, enables users to avoid making
multiple adjustments to the DOS-application operating mode each time
they are started.

The problem with these files, Kaspersky said, is that some people are
now tending to run PIF files received from untrustworthy sources,
without performing a comprehensive anti-virus check, thinking that no
malicious code can hide inside.

In fact, the firm said, PIF files can contain hidden executable
modules, for instance, BAT, EXE or COM programs that will be
automatically executed after the host file is run.

One example of the misuse of PIF-files is the Internet worm MTX that
was originally discovered in September and caused an epidemic in many
countries around the world.

While the infected files it distributes via e-mail have a PIF
extension, they are, in fact, these are ordinary Windows EXE-files
that were intentionally renamed. When such a "PIF-file" is started,
the original malicious code is automatically executed causing the
system infection.

Denis Zenkin, Kaspersky Lab's head of corporate communications, said
that it is important for PC users to realize that PIF files are not
as harmless as they may look.

"Besides ingeniously hidden PIF viruses, they can carry other types
of malware. We recommend users not to run these files especially if
they are received from untrustworthy source," he said.

Kaspersky's Web site is at http://www.kasperskylabs.com.