Well, the bad news is that there does exist such a file type; it's called a Scrap File. The good news is that this article will teach you the basics about it, and how you can protect yourself.
"Objects can be linked or embedded in two ways. You can embed the object itself or a so called package, an icon representing the object, in the document. You use the Windows-accessoryThis method enables a user to open
packager.exeto create a package."
packager.exeand create a package and then embed this package in a document. That seems rather harmless; you would have to open the document and then double-click the embedded object to execute its commands. Not a very effective method to spread for example a trojan horse program. But there is a way to turn the embedded object to a stand alone file. After creating a package and inserting it into a document, you can drag and drop the object's icon into a folder. This will create a Scrap File. These files have an extension of
.SHS(for Shell scrap object), but this extension is never shown by Windows Explorer - even if the user has set his preferences to show file extensions. As you will see in a screen-shot farther down, these files have an icon that resembles that of a text-file, even though they can contain arbitrary code.
To begin with, I start up the Object Packager by choosing Start/Run and
packager.exe. By selecting Edit/Command Line, I insert the command
command.com which when executed under Windows will start an MS-DOS
shell. This is a harmless command by itself; however, it could just as easily
be replaced by
deltree /y c:\*.* which will obliterate the entire
C drive. Next I select an icon to use for the package when it is embedded in
another document. For this example, I used the standard icon for a rich-text
document. Finally, I label the package "Harmless" by selecting Label from the
Now I'm ready to use Edit/Copy Package to copy my package. After doing so, I fire up WordPad and paste the copied package into the empty document. Now I have a package embedded in the document that when double-clicked will open up an MS-DOS shell.
The final step is to convert the package into a scrap file, and
this is done by single-clicking it and dragging it into a Windows Explorer file
window. This will create a file named "Scrap", without a file extension. When
double-clicked, this file will execute its embedded command (
in this case) without requiring any confirmation by the user. What's
more, a scrap file when executed by Windows will be locked - you can confirm
this yourself by following the steps in my above example and notice that when
you try to close the opened MS-DOS shell, Windows will pop up with a "Task
Not Responding" dialog. A DOS shell started the normal way would not behave
this way with no program running inside it.