PUA.Windows.DoubleExtension is a ClamAV detection where a virus file has two extension names designed to trick a user to running it. Many people have learned that text files (.TXT) and image files (.GIF, .JPG, etc.) are safe to launch because they are data and not executable software. They have learned to be leery of .EXE, .VBS and other extensions that are executed immediately. Thus, virus writers try to trick more people using double extensions, so “I LOVE YOU.TXT.vbs” is really not a .TXT file, but a .vbs file, a Visual Basic Script that is executed immediately. Some mail programs may actually remove the .vbs at the end of the name, leaving users completely helpless to make a determination even if they knew what to look for. This mentality is pervasive. Out of the box, Windows defaults to hiding file extensions in all displays, which is beyond absurdity considering the importance of this file identifier in everyday operations.

doubleextension

The use of double file extension spread after Micorsoft set “Hide known file types extensions” option enabled by default for Windows XP and newer systems – this is still the default behavior on Vista, 7, 8/8.1 – opening the ground for attack exploiting hidden files extensions. This option allows an attacker to trivially add a file extension before the true one in order to mask the real nature of the file – being the last file extension hidden by default to end users by the system in file browser and most applications following system’s file browser policies. In this way an executable file that should trigger a great level of awareness and caution from user (e.g. .exe, .scr, .bat, .vb, .js…) can be easily masked as harmless, common, file type to mislead end user.

PUA.Windows.DoubleExtension