Three types of dangerous TXT files

Source: Internet
Author: User
Tags all mail


I. Hide a TXT file with an HTML Extension
If the attachment you received contains a file like this: QQ mail .txt, do you think it must be a plain text file? I want to tell you, not necessarily! The actual file name can be QQ mail .txt {3050f4d8-98b5-11cf-bb82-00aa00bdce0b}. {3050f4d8-98b5-11cf-bb82-00aa00bdce0b}. in the registry, it is the meaning of. But saved
When the name of a file is not displayed, you can see a TXT file. This file is actually equivalent to QQ sending .txt.html. Why is it dangerous to open this file directly? See if the content of this file is as follows:
You may think that it will call notepad for running, but if you double-click it, it calls HTML for running, and automatically starts formatting the D disk in the background, "Windows is configuring the system. Plase does not interrupt this process ." This dialog box fool you. The danger of opening the TXT file in the attachment is big enough?
Spoofing implementation principle: the ghost file will run in the form of an HTML file, which is a prerequisite for running it.
Lines 2nd and 3rd in the file content are the key to damaging the file. The first line is the executor of the destructive action, where commands with destructive nature can be loaded. So what is the 2nd rows? You may have noticed "ws found" in row 2nd, right! It is the director of the entire screen, and it is the owner behind the scenes!
WS seek is the host of Windows s cripting. It is a newly added function in Win98, is a batch language/Automatic Execution tool. The corresponding program "ws cript.exe" is a script language interpreter located in C:/windows, it makes the script executable, just like executing a batch. In the script environment of the windowss cripting host, some objects are predefined. Using these built-in objects, you can obtain environment variables, create shortcuts, load programs, read and write registries, and other functions.

Identification and prevention methods:

When a TXT file with excellent quality is displayed, it is not a text file icon. It shows a flag of the undefined file type, which is the best way to distinguish it from a normal TXT file.
② Another way of identification is to display the full name of the file name (1) on the left of "My Computer" when "view by webpage ), at this point, we can see that it is not a real TXT file. The problem is that many beginners do not have enough experience, and the veteran may open it because he did not pay attention to it. Here, I remind you again that the file name of the attachment in the email you receive should not only look at the displayed extension, pay attention to what icons are actually displayed.
③ If someone else sends a TXT file in the attachment, you can download it and right-click it and choose "open with Notepad", which makes it safe.

II. Malicious fragment File
Another type of terrible TXT file is a file called a "fragment object" (with the extension "SHSH") in windows, it is generally disguised as a text file that is transmitted through an email attachment. For example, the QQ number code is sent to .txt. due to the fact that the suffix "sh" is not displayed, It would be terrible if the file contains commands such as "form! In addition, the following four reasons are also harmful:
① The default icon of the fragment object file is similar to the icon of the notepad file. It is easy to be mistaken for some text documents. Users are not prepared enough to guard against it.
".
③ Even if you are suspicious, you will not find any problem with this file using any anti-virus software, because the file itself has no virus, it is not executable, and it is still a system file. Do you suspect such a file?
④ This attachment virus is very easy to create and can be learned in 5 minutes, and does not require programming knowledge (the command for formatting the C Disk: "Form C:" Everyone knows ^ _ ^ ).

1. Specific instance
So what is the threat to the user's computer caused by the fragment object? Let's make a test and we will understand. The following test environment is performed on the Chinese version of the Windows 2000 Server. Create a test file test.txt on the hard disk (I created the file D:/test.txt), and then create a fragment object file that can delete the test file.
First, run a packager.exe program. My Win2000 Server is installed under/winnt/system32.
② After creating a new file, open the menu "file" → "import". A file dialog box is displayed, allowing you to select a file. You can select a file.
After that, open the editor and click "OK". In the displayed command line Input dialog box, enter "cmd.exe/C del D:/test.txt ".
④ Then, select "edit"> "Copy data packet" in the menu ".
5. Then, find a place on the hard disk and I will go directly to the desktop. Right-click the desktop and select "Paste" from the shortcut menu. Then we can see that a fragment object file is created on the desktop.
Now we can double-click this file. After a flash in the CMD window, go to disk D and check that the test file D:/test.txt has been deleted! Now you should know that the command entered in the object packaging was executed. Dangerous! how terrible it would be if this command was used to delete an important file in the system, or to format Dangerous commands such as command form!
Let's take a look at the real face of this "stealth Killer!

2. Technical Principles
According to Microsoft's explanation, a file is a special type of object link and embedding (Object link and embedding, object connection and embedding) object, which can be created by Word documents or excellent workbooks. You can create a Windows fragment object by selecting a text or image area in the document and dragging it to somewhere on the desktop, it is also called a file (this file is not readable ). But you can rename the object with any other file name you want, or drag and drop the object to another document (similarly, you can cut and paste it ).
That is to say, the command we entered is used as the object link and the embedded object to be embedded into the file created by the object packaging program. In order to facilitate the copying of the object embedded in the file, Microsoft, A technical shell waste object is used, that is, when you copy objects between different files, Windows encapsulates the objects into a fragment object for copying. Therefore, once we do not copy and paste files, but directly paste the fragment object to the hard disk, A. Sh file will be generated. This fragment object file stores the functions of the original object. The commands contained in the original object will also be parsed and executed. This is what is terrible!

3. Defense methods

(1) brutal law
Since the file is not an executable file, of course other programs are required for parsing and execution. We can simply remove the association of parsing and execution to prevent potential threats in this file. Run the Registration Table editor regedit.exe and delete the default shellscrap value under the hkey_classes_root/. Shs primary key. Double-click the. Sh file and check whether it will be executed? A dialog box is displayed. Let's select the program needed to open the. Sh file. At this time, you can select the "Notepad" program, which is very safe. A more thorough approach is to open hkey_classes_root/shellscrap/Shell/Open/command. the file association is completely removed. Double-click the file. even the dialog box for selecting the running program does not appear. It directly requires that the file association be rebuilt on the control panel.

(2) "Civilization" Law
① Under the Registry Editor hey_classes_root/shellscrap key, there is a key value "nevershowext", which is the culprit of the failure to display the ". Sh" file extension. Delete this key value and you will see the ". Sh" extension.
② Change the default icon of the "fragment object" file. Because the default icons of fragment objects are very similar to those of text files, they are easy to paralyze, so we need to change their icons. Open the resource manager, select the "folder selection box" under the "View" menu, and select the "file type" tab in the displayed dialog box, find "fragment object" under "registered file type ". Click the "edit" button in the upper right corner. In the "edit file type" dialog box that appears, click the "change icon" button above. Open C:/Windows/system/pifmgr. dll and select a new icon as the ". Sh" file from the displayed icon.

(3) More Preventive Measures
① If a virus file hides its real extension "Hush", and you set it in anti-virus software to scan a specified program file, rather than scanning all files (such as scanning only executable files ), the anti-virus software cannot detect viruses. Therefore, add ".. Anti-virus software is easy to set.
② Prohibit "fragment objects" and "shortcuts to documents.

3. Change the field of view email attachment
In addition to the two types of dangerous "TXT" files mentioned above, there is another dangerous "TXT" file-a field of view email attachment! That is, a file that looks like txt is actually an EXE file! The following describes outlook2000 Simplified Chinese version in detail.
1. Renewal and Its icons.
2. right-click notepad.exe and its icon, select Edit package, open the object packaging program, Select Insert icon, select Browse, and select Windows/system/shell32.dll, select a desired icon in the current icon box, for example, select a text file icon, and then press "OK ". Then, choose the menu bar to edit the article, click "hello.txt", define a name, and click "OK ".
3. Exit the object packaging program and select "yes" when the prompt is displayed ".
4. Now, hello.txt is the current one. Most people will think of it as a form-of-the-ground text file attachment. I believe no one doubts that it is something else. Double-click the chart to see what will happen? No, it is notepad.exe! If it is a virus file, the results can be imagined!
In fact, when you use outlook2000 to receive such an email, it will show that this is an email with an attachment. When you think that it is a text file attachment, the field of view will prompt: some objects carry viruses, which may cause harm to your computer. Therefore, ensure that the object source is reliable. Do you believe this embedded object? People with strong security concepts generally choose "no" (this is the right one), and general people may choose (You are miserable !).

Recognition Method: do not be afraid. Although it is very confusing, it will still reveal some Trojans:

1. It is actually an object link and embedded object, not an attachment. When you select it, the selection box is different from the selection box for the attachment. Right-click the menu that appears.
2. When you double-click it, the security prompt is different from the security prompt of the attachment, which is very important. In this case, select "no", right-click the object, and select "Edit package". If you want to trust the object, select "yes". In the content box on the right of the object package, will show the original shape. In this example, "Notepad. EXE backup" is displayed. The key is to check whether the file is executable.
3. Because it is not an attachment, no dialog box appears when "file"> "Save attachment" is selected.
4. Because not all mail sending and receiving software supports object embedding, the format of such mail may not be recognized by some software, such as Outlook Express. However, the field of view is widely used, especially in large companies with their own email servers. Therefore, it is necessary to remind everyone to embed objects with caution, not just the field of view, in fact, words, excellent, and other software that supports embedded objects can make embedded objects face-to-face to confuse people.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.