is a file extension specially associated with plain text files
but there are various text file types and formats
. If the file is a "true plain text" file, it cannot execute a virus
. The file, however, could actually be an executable
containing malicious code disguised as a text file designed to trick users into opening a file type which can execute malicious code. This is done using double file extensions
...adding an executable extension
(.exe, .pif, .com, .vbs, etc) to the end of .txt such as anyfile.txt.exe
so that it appears to be a text file. In some cases, you may not see the double extension because file extensions are hidden by default
in Windows. If you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the .txt file with extra spaces before the ".exe" extension such as shown here
([i]click Figure 1 to enlarge[i]). The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.
In some cases the malware may attach a .doc or .txt file found on a system while scanning for message body texts so it can send information back to a remote attacker. An example of this is the Email-Worm.Win32.Magistr.a
. It is possible to get infected by a virus that activates when reading an email without an attachment. The Wscript.KakWorm
was spread by taking advantage of a security hole in Microsoft Outlook Express. The worm was hidden in the HTML of the email itself and when the message was viewed by the recipient, the worm automatically infected the computer. The Email-Worm.Win32.Magistr.a also scans e-mail database files, obtains e-mail addresses and sends its copies there.
By design, Internet Explorer will render HTML found in a plain .txt document instead of displaying it as plain text (like Firefox and other browsers) if the contents appear to be HTML. This makes it vulnerable to someone opening a .txt attachment in IE that could contain and execute malicious code. See text/plain as html in IE, and a workaround
I have encountered "false positive
" detections on some plain text files triggered by Corporate Editions of McAfee and Norton Anti-virus which uses heuristic
algorithms known as Bloodhound
. In these cases, I suspect the detection was triggered when the anti-virus scanned text files containing code and information about specfic malware infections.