Do not fall into dangerous file traps

Suitable for readers: Intrusion lovers and common netizens
Prerequisites: None

Do not fall into dangerous file traps

Text/figure Peng Wenbo

Even without warning, we opened a batch of readme.txt files or a. bat batch file. Can you ensure that these files are absolutely safe? Similarly. hlp (Help file ),. pif (shortcut to DOS ),. files such as lnk (Windows shortcuts) are at the same risk. When we are not careful, we may fall into these file traps. Although some files are easy to judge, other files with "traps" are not easy to judge. Next, let's take a look at some of the typical file traps.

Steal the bar: Starting from HTML web files

HTML files are the most common files. However, HTML is also one of the most dangerous file formats. It has a function to call External Object scripts, it can cause a lot of trouble to users.

1. HTML file association

Next, let's look at a common example. Now, there is a file in our email that looks like this: your confidential file .txt ". Are we sure it is a plain text file? On the top of the page, the corresponding file name can contain confidential file .txt .". ". Double-click it and you will call HTML to run it. You may have started formatting the D disk in the background.

2. WScript and file traps

When talking about the hazards of the above files, we should talk about WScript. In the Windows Scripting Host script environment, you can use several built-in objects to obtain environment variables, create shortcuts, load programs, read and write registries, and other functions. The following describes how to use the *. vbs file:

Set so = CreateObject ("Scripting. FileSystemObject ")
So. GetFile (c:. exe). Copy ("e:. exe ")

TIPS: The full name of WScript is "Windows Scripting host.exe, corresponding program". "wscript.exe" is a script language interpreter located in C: WINNTsystem32, which enables the script to be executed, with the same effect as the execution of batch processing.

Let's analyze the above Code in detail, which can copy files to a specified location. The first line is to create a file system object, and the first line is to open the script file. "c:. exe" indicates the program itself and is a complete path file name. The GetFile function obtains the file, and the Copy function copies the file to the root directory of the E disk. This is also a feature of most VBscript viruses. They are almost silent during the destruction process, and there is no prompt when running them. It can be said that they "sneak into the night with the wind, and let things go silently ".

3. Identification and prevention methods

It can be seen that disabling related objects can effectively control the spread of such code. Use "Regsvr32 scrrun. the dll/u command can disable file system objects. In addition, in Windows 2000, double-click the "my computer" icon and execute the "tools/Folder Options" command, select the "File type" tab, find the "VBS VBScript Script File" option, click the [delete] button, and then click [OK. 1.

 
Figure 1

In addition, WSH 5.6 can be upgraded to prevent Web browsers from being modified by malicious scripts, because WSH in earlier versions of IE 5.5 allows attackers to use the Getobject function in JavaScript and Htmlfilr ActiveX object to read the viewer's registry, you canWww.microsoft.comDownload the latest WSH version.

Tian outsiders: Trap files in OutLook

1. Typical trap email Analysis

In Outlook, we can easily receive the modified OLE (Object Linking and Embedding, Object link and Embedding) Object, which is similar to the preceding HTML file and is not a real email attachment. The following is a typical example:

Step 1: Open OutLook2000 and create an email. Select "formatted text" under the "format" menu, and click the left mouse button in the mail body. Then, select "object" under the "insert" menu and select "Browse" after "created by File ". Now, you can select notepad.exe under the Windows directory and click "OK". The icon will appear in the new email body section.

Step 2: Right-click the icon, select "Edit package", open the object packaging program, select the "insert icon" button, and select "Browse ". Take Windows 2000 as an example. Select C: Confirm and click "OK ". 2.

 
Figure 2

Step 3: exit the object packaging program and select "yes" when prompted for update ". The current output is readme.txt, which is generally considered as a local text file attachment. Double-click this icon. If it is a virus file, the consequences can be imagined. This is very common. 3.

 
Figure 3

In fact, when you use OutLook2000 to receive such an email, it will show that it is an email with an attachment. When you think it is a text file attachment, double-click it to open it, outLook will prompt that the object carries a virus and may cause harm to the computer. Therefore, ensure that the object source is reliable.

2. How to Prevent trap emails

In the actual prevention process, we need to understand that it is actually an OLE object, not an attachment. When you double-click it, the security prompt is different from the security prompt of the attachment, which is very important. When "file"> "Save attachment" is selected, no dialog box is displayed.

TIPS: because not all mail sending and receiving software supports object embedding, the format of such mail may not be recognized by some software, such as OutLook Express. However, OutLook is widely used, so it is necessary to be careful.

Crossing the sea over the past few days: Anti-spam files and prevention by using SHS

This situation is common: When you double-click a text file, the system will flash a DOS window, and then hear the hard disk constantly reading and writing, this may be a. shs file.

1. Basic knowledge of SSP file traps

A special type of OLE (Object Linking and Embedding, Object connection and Embedding) objects can be created by Word documents or Excel workbooks. That is to say, the command we entered is embedded into the file created by the object package as an OLE object. When you copy objects between different files, in Windows, objects are encapsulated into fragments for copying. Therefore, once we do not copy and paste the object between files, but directly paste the fragment object to the hard disk, A. SHS file will be generated. This fragment object file stores the functions of the original object. The commands contained in the original object will also be parsed and executed. This is what is terrible! If the file contains commands such as "Format", it will be terrible!

2. Specific examples of trap files

So what is the threat to the user's computer caused by the fragment object?

Step 1: Create a readme.txt file on the hard disk, and then create a fragment object file that can delete the test file. Run packager.exe, the object package program under c:/winnt/system32. After creating a new file, open "import" under the "file" menu. A file dialog box is displayed, allowing you to select a file. You can select a file.

Step 2: Click Edit orders in the text box, enter "cmd.exe/c del d: readme.txt" in the prompt line Input dialog box, and click "OK ". Select "edit"> "Copy data packet" from the menu, as shown in figure 4.

 
Figure 4

Then, right-click the desktop and select "Paste" from the pop-up menu. Then we can see that a fragment object file is created on the desktop. After double-clicking the command, the CMD window will flash and go to disk D to check whether the test file D: readme.txt has been deleted! If this command is a dangerous command such as Format, the consequences can be imagined.

3. methods to prevent the spread of Files

The fragment file icon is similar to the text file icon, but we can set it in the Registry to display the extension of the SHS file. Run the Registration Table editor regedit.exe and delete the default ShellScrap value under the HKEY_CLASSES_ROOT.shs primary key. Now, double-click the. SHS file and the file will not be executed. 5.