Beware of three types of dangerous TXT files

If you receive an email attachment that looks like this: QQ nickname to send .txt, do you think it is definitely a plain text file? I want to tell you, not necessarily! Its actual file name can be QQ nickname

.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}.

{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} is the meaning of the HTML file association in the registry. However, it does not appear when the file name is saved. What you see is a .txt file. This file is actually equivalent to the QQ nickname.txt.Html. So why is it dangerous to open this file directly? See if the contents of this file are as follows:

You might think that it will call Notepad to run, but if you double-click it, it will call Html to run, and automatically start formatting the D drive in the background. Also show "Windows is configuring the system. Plass do not interrupt this process." Such a dialog box to deceive you. Is it dangerous to open the .txt in the attachment at will?

Deception implementation principle: When you double-click this disguised .txt, the real file extension is

.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}, which is also .html The file will then run as an Html file, which is a prerequisite for it to work.

Lines 2 and 3 of the file's content are the key to its destructive effect. The third line is the executor of the vandalism, in which commands with destructive properties can be loaded. So what is the second line? You may have noticed "Ws cript" in line 2, yes! It is the director who directed the whole scene, it is the mastermind behind the scenes!

Ws cript full name Windows s cripting Host, it is a new addition to Win98, is a batch language /automatic execution tool - its corresponding program "Ws cript.exe" is a script The language interpreter, located under c:WINDOWS, makes it possible for scripts to be executed just like batch processing. In the Windows scripting Host scripting environment, some objects are predefined, and through its built-in objects, you can implement functions such as obtaining environment variables, creating shortcuts, loading programs, and reading and writing the registry.

Identification and prevention methods:

1 This deceptive .txt file shows not the icon of the text file, it shows the flag of the undefined file type, which Is the best way to distinguish it from normal TXT files.

Another way to identify 2 is to display the full name of the file name on the left side of "My Computer" when viewed in "WEB page mode" (see Figure 1). At this point, you can see that it is not true. The TXT file. The problem is that many beginners have not enough experience. The veteran may open it because he didn't pay attention. Here again, remind you that the file name of the attachment you received is not only the extension that appears, but also the actual number. What is the icon displayed.

3 For the files that appear to be TXT from others in the attachment, you can download it and right click to select "Open with Notepad", which will be safe.

一. Hide the TXT file of the Html extension

If you receive an email attachment that looks like this: QQ nickname to send .txt, do you think it Definitely a plain text file? I want to tell you, not necessarily! Its actual file name can be QQ nickname

.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}.

{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} is the meaning of the HTML file association in the registry. However, it does not appear when the file name is saved. What you see is a .txt file. This file is actually equivalent to the QQ nickname.txt.Html. So why is it dangerous to open this file directly? See if the contents of this file are as follows:

You might think that it will call Notepad to run, but if you double-click it, it will call Html to run, and automatically start formatting the D drive in the background. Also show "Windows is configuring the system. Plass do not interrupt this process." Such a dialog box to deceive you. Is it dangerous to open the .txt in the attachment at will?

Deception implementation principle: When you double-click this disguised .txt, the real file extension is

.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}, which is also .html The file will then run as an Html file, which is a prerequisite for it to work.

Lines 2 and 3 of the file's content are the key to its destructive effect. The third line is the executor of the vandalism, in which commands with destructive properties can be loaded. So what is the second line? You may have noticed "Ws cript" in line 2, yes! It is the director who directed the whole scene, it is the mastermind behind the scenes!

Ws cript full name Windows s cripting Host, it is a new addition to Win98, is a batch language /automatic execution tool - its corresponding program "Ws cript.exe" is a script The language interpreter, located under c:WINDOWS, makes it possible for scripts to be executed just like batch processing. In the Windows scripting Host scripting environment, some objects are predefined, and through its built-in objects, you can implement functions such as obtaining environment variables, creating shortcuts, loading programs, and reading and writing the registry.

Identification and prevention methods:

1 This deceptive .txt file shows not the icon of the text file, it shows the flag of the undefined file type, which Is the best way to distinguish it from normal TXT files.

Another way to identify 2 is to display the full name of the file name on the left side of "My Computer" when viewed in "WEB page mode" (see Figure 1). At this point, you can see that it is not true. The TXT file. The problem is that many beginners have not enough experience. The veteran may open it because he didn't pay attention. Here again, remind you that the file name of the attachment you received is not only the extension that appears, but also the actual number. What is the icon displayed.

3 For the files that appear to be TXT from others in the attachment, you can download it and right click to select "Open with Notepad", which will be safe.

In other words, the command we entered is embedded as an OLE object in the newly created file of the object wrapper, and Microsoft uses a Technology
Shell ScrapObject (SHS for short), that is, when you copy objects between different files, Windows wraps the object into a fragmented object for copying. Therefore, once we copy and paste between files, we will directly paste the fragment object onto the hard disk, and a .SHS file will be generated. This fragment object file saves the functions of the original object. The commands contained in the original object will also be parsed and executed. This is what is terrible!

3. Precautionary methods

(1) "Savage" method

Since the SHS file is not an executable file, of course, other programs are needed to parse the execution, we remove the parsing The execution of the association can simply prevent the latent threats in such files. Run the registry editor

regedit.exe, under the HKEY_CLASSES_ROOT.shs primary key, delete the default value ShellScrap, now double-click the .SHS file, see, will not be executed? A dialog box pops up, let us choose the program needed to open the .SHS file. At this point, it is very safe to select the "Notepad" program. A more thorough approach is to completely remove the association of the open .SHS file under HKEY_CLASSES_ROOTShellScrapshellopencommand. Now double-click the .SHS file, and the dialog box for selecting the running program does not appear. It will directly request the file association to be rebuilt in the control panel.

(2) "Civilization" method

1 under the registry editor HEY_CLASSES_ROOTShellScrap key, there is a key value "NeverShowExt", which causes the ".SHS" file extension to be displayed. The culprit. Delete this key and you will see the ".SHS" extension.

2 Replace the default icon for the "Shard Object" file. Since the default icon of the fragmented object file is very similar to the text file icon, it is easy to be numb, so we have to replace its icon. Open the Explorer, select the "Folder Box" under the "View" menu, select the "File Type" tab in the pop-up dialog box, and find the "Shard Object" under "Registered File Types". Click the "Edit" button in the upper right corner and click the "Change Icon" button above in the "Edit File Type" dialog that opens. Open C:WindowsSYSTEMPifmgr.dll and select a new icon from the icon that appears as a ".SHS" file.

(3) More prevention means

1 If the virus file hides its real extension "SHS", and you set it in the anti-virus software to scan the specified program file instead of Scan all files (such as scanning only executable files), then anti-virus software can not find the virus, so please add a scan of the ".SHS" file in the specified program file of the anti-virus software. The settings of various anti-virus software are similar, it is relatively simple, please set it yourself.

2 Disable the "fragmented object" file and the "shortcut to document" file.

Three. Makeovers for OutLook email attachments

In addition to the two types of dangerous "TXT" files mentioned above, there is another dangerous "TXT" file - a makeover of OutLook emails. annex! That is, a file that looks like TXT is actually an EXE file! Below I take the OutLook2000 Simplified Chinese version as an example for detailed explanation.

1. Open OutLook2000, create a new email, select "Format" → "Formatted Text" in the menu bar, click the left mouse button in the body of the email, select the menu "Insert" → "Object", click "Create from file" → "Browse", select notepad.exe in the Windows directory, click "OK", and the notepad.exe and its icon appear in the main part of the new mail.

2. Right click on the notepad.exe and its icon, select "Edit Package", open the object wrapper, select the "Insert Icon" button, select "Browse", select

WindowsSYSTEMSHELL32.DLL, select an icon you want in the current icon box, for example, select a text file icon, and then press "OK". Then select the menu "Edit" → "Volume Label", arbitrarily define a name, say hello.txt, click "OK".

3. Exit the object wrapper and select "Yes" when prompted to update.

4. OK, now appears in front of hello.txt, the average person will think that it is a plain text file attachment, I believe no one suspects it is something else. Please double click on this chart to see what happens? Did you find that it opened notepad.exe! If it is a virus file, the results can be imagined!

In fact, when you receive such an email with OutLook2000, it will show that this is an email with an attachment. When you think it is a text file attachment double-click to open, OutLook will prompt: some objects Carrying a virus can be harmful to your computer, so make sure that the source of the object is reliable. Do you believe in the embedded object? People with strong safety concepts will generally choose "NO" (this is correct), and ordinary people may choose YES (you are miserable!).