苏悦 Su Yue
防范各种病毒的软件和大部头的分析文章很多了,本文再从文件扩展名这个不为人所注意的小方面添砖加瓦,分析一下为什么看了这么多的文章,还是有不少人不幸“中招”。 Against various virus software and a lot of the voluminous analysis of the article, this article from the file extension that the small unnoticed aspects of building blocks, analyze why read so many articles, there are still many people, unfortunately, "in recruit. "
无论病毒种类怎么变化,其发作是一定要有加载执行动作的,即使是含毒的文件已经进入你的电脑内潜伏或者是你浏览的网页要求加载运行java script、ActiveX控件,在你点击运行或选择“是”之前,病毒只是一个没打开的潘多拉盒子。 Regardless of how changes in the virus type, the attack is required to load the implementation of the action, even if the file has been toxic into your computer or your potential requirements of the webpage to load running java script, ActiveX controls, you click Run or choose "Yes" before the virus but did not open a Pandora's box. 我们也都知道了不要轻易打开电子邮件里的可执行文件类的附件,但是显然病毒的制造者们也看了那些警告防范的文章,在心理学和视觉上开始玩一些小把戏,让你以为那些附件只不过是没有危险的文本文件或是图像文件等。 We all know that the Do not open e-mail in the executable file type attachments, but apparently the virus makers are also warning against those who read the article, in psychology and began to play some visual trick, make you think that those attachment is not dangerous just a text file or image files. 因为目前大多数人使用的是windows系列操作系统,windows 的默认设置,是不显示普通已注册关联文件的扩展名的,而当你一点击那个看上去很友善的文件,里面的. Because most people use windows family of operating systems, windows of the default settings, it is not a registered association show common file extensions, and when you click on a file that looks very friendly, inside. . . . . . . . . . . 就跳出来了,这才是真正的暗黑破坏神。 To come out, and this is the real Diablo.
比如臭名昭著的爱虫病毒,最初流行的邮件格式如下: Such as the infamous Love Bug virus, the first popular message format is as follows:
主题:I LOVE YOU (尽管知道这可能会是病毒,一看到你的心还是会砰砰的跳:) Subject: I LOVE YOU (despite knowing this may be a virus, one can see your heart still pounded the jump:)
正文:kindly check the attached LOVE LETTER coming from me. Body: kindly check the attached LOVE LETTER coming from me.
附件:LOVE-LETTER-FOR-YOU.TXT.vbs (看见了?这就是把戏的关键) Accessories: LOVE-LETTER-FOR-YOU.TXT.vbs (see? This is the key trick)
以后出现的几种变种都只是更换主题来迷惑你。 Several variants have emerged after the change the theme just to confuse you.
要是你以为这是个文本文件选择了打开的话,它首先拷贝自己到硬盘上,然后设置注册表以在每次启动时都运行。 If you think this is a text file, select Open, then it copies itself to the hard disk first, then set the registry to run at every boot. 在Windows 系统目录下它将自己命名为MSKernel32.vbs和LOVE-LETTER-FOR-YOU.TXT.vbs。 It in the Windows system directory under their own name MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs. 在Windows 目录下,它将创建一个名为Win32DLL.vbs 的脚本。 In the Windows directory, it will create a script called Win32DLL.vbs.
接着,你正在运行mIRC的话,它会尝试通过IRC系统传播自身的拷贝;如果允许的话,它还会在网上下载一个WIN-BUGSFIX.exe 的文件,听起来好象和修复BUG有关,其实不然,这个独立的程序会扫描电脑内存中的网络密码并将他们发送至病毒的制造者。 Then, if you are running mIRC, it will attempt to spread itself via IRC systems copy; if allowed, it will also download a WIN-BUGSFIX.exe files, sounds like and fix BUG on, it is not true, This independent program scans the computer memory in the network password and send them to the virus maker.
当然,这家伙还是有马脚露出来的,你细心一点,就会发现它的图标不是文本文件的图标而是VB的,问题是很多初学者从来没经验过,老手也可能因为没留意而打开它,这里特别再提醒一次,注意你收到邮件中附件的文件格式,不仅要看显示的扩展名,还要注意其实际显示的图标,至少目前还没有以图片或文本形式加载能搞破坏的病毒。 Of course, this guy has exposed himself away, you little careful, will find its icon is not a text file icon instead of VB, the problem is that many beginners have never experienced before, because the veteran may not pay attention and open it here particularly Again, note that you receive e-mail attachments in the file formats, not only depends on the extension display, but also pay attention to the actual display of the icon, at least not yet loaded with pictures or text can sabotage the the virus. 检查一下有无以下这两个文件(隐藏文件也不要放过) Check whether the following two files (hidden files and do not let go)
LOVE-LETTER-FOR-YOU.HTM LOVE-LETTER-FOR-YOU.HTM
LOVE-LETTER-FOR-YOU.TXT.vbs LOVE-LETTER-FOR-YOU.TXT.vbs
这是爱虫病毒利用扩展名玩的小花招,大家可以按此类推,警觉其他病毒利用类似的方式侵入,突破你以为固若金汤的防线,最后你还不能怪任何人。 This is the Love Bug virus, using a small extension to play tricks, we can infer, alert other viruses use a similar way trespass, break your thought impregnable line of defense, and finally you can not blame anyone. 因为它也可能会是*.jpg.exe(可执行文件), *.txt.doc(微软word的宏). Because it may be *. jpg.exe (executable file), *. txt.doc (Microsoft word macro). . . . . . . . . . . 诸如此类。 And so on. 建议初学电脑的人在“查看―文件夹”选项里,把“隐藏已知文件类型”选项上的钩钩去掉,您就可以一目了然地看到那些病毒的伎俩了,也方便你正确地选择文件类型的关联或是改扩展名。 Recommended beginner computer users in the "View - Folder" option to "Hide extensions for known file types" option on the hook removed, you can readily see that the virus trick, and also allowing you to correct association to choose or change the file type extension. 等您修炼成正果,电脑玩到得心应手的时候,再改回来也不迟。 You practice so immortal, play the computer handy when the change back too late.
这是防范病毒的方面。 This is to prevent the virus on. 在数据安全方面,可以利用文件的扩展名来给文件作简单的“加密”,在一定程度上保护数据的安全: 我们知道,windows无论打开什么文件,首先要与可执行的工具程序关联,通常还带有相应的图标。 In data security, you can use the file extension to file to make a simple "encryption", to a certain extent, to protect the security of data: We know, windows open no matter what file, the first utility to be associated with the executable, usually also with the corresponding icon. 如果是windows本身以及已经在注册表注册的工具程序都不能识别的文件,视窗里显示的就是一片白底加一个微软的视窗图标,表示系统不能识别该文件格式。 If the windows itself and has been registered in the registry utility can not recognize the file, window display is a white plus a Microsoft Windows icon indicates that the system does not recognize the file format. 此时如果你点击它企图运行,windows会弹出一个对话框,让你首先选择要关联的程序。 At this point if you click on an attempt to run it, windows will pop up a dialog for you to first select the associated program. 文件的简单加密就可由此而生。 Simple file encryption can result.
―― 我们可以把文件的扩展名改为非常规的名称,比如*.KKK, *.3TS,前提是不能与当前目录已经存在文件的扩展名相同;甚至是去掉扩展名,让windows的默认工具IE及一般的程序不能正常的点击打开该文件,您初学电脑的小孩就不能看到你写的WORD文档或计事本格式的日记了。 - We can change the file extension name of unconventional, such as *. KKK, *. 3TS, the premise is not the current directory with the extension of the file already exists the same; or even remove the extension, so that the windows default IE tools and general program does not click to open the file, your computer beginner child can not see you write something this WORD document or meter format diary. 当然,有些人会先打开工具程序,然后选择“所有文件”来选择,针对这种情况,你可以把几种文件的正常扩展名掉换,比如把图片JPEG和WORD的文档DOC 调换,当用正常方式甚至是“打开所有文件”的方式来浏览查看的时候,将是一片乱码,偷看者也很不容易想到该文件原来是这样“加密”的,他使用任何破解密码的工具都将是徒劳的。 Of course, some people will first open the utility, then select "All Files" to choose, for this situation, you can put a normal extension of several swap files, such as the JPEG images and WORD DOC document exchange, as with normal way even "open all files" way to see when browsing, it will be a garbled, peep are also very easy to think of the file something like this "encryption", and his use of any tools to crack the code will be in vain of. (超级加密?:)即使他知道你改了扩展名,也不容易一下子猜出原来的正确名称,目前也没有用穷举法可以尝试不同扩展名的工具来破解。 (Super encryption?:) Even though he knew you changed the extension, it is not easy at once guessed the correct name of the original, and there are no brute-force method can be used to try different tools to crack extension.
要注意不要把扩展名改成和原来文件同类或格式兼容性相差无几的名称,比如MP3改成MP2,JPEG改成BMP是没什么用的,winamp和ACDSEE会照常打开该文件,因为不少工具软件内含了识别自己特定类文件不同版本和格式的功能;这样也容易与其他正常使用的文件混淆――改用越不规范、越特别的扩展名越好,也让您一眼就知道那是你自己的杰作。 Be careful not to change the original file extension format for compatibility with almost the same or similar names, such as MP3 into MP2, JPEG into BMP is no use, winamp and ACDSEE will open the file as usual, because a lot of tools contains class files to identify their specific functions in different versions and formats; this also easily confused with other normal documents - do not use the more standardized, more particularly the extension better, but also let you know at a glance that is your own a masterpiece.
这种“加密”的方法还有个好处是你不用记忆任何密码,只要知道这文件原来是什么内容的,自然就能把它轻易恢复到正确的扩展名来编辑(右击该文件,选择重命名;或是在DOS状态下用REN命令即可,DOS下改名最快捷),健忘的人可以尝试一下。 This "encryption" method there is a bonus that you do remember any password, just know that this is what the original file, of course, you can easily restore it to the correct extension to edit (right-click the file, choose to re- name; or in DOS mode you can use the REN command, DOS renamed under the most efficient), forgetful people can try. 当然,这只是权宜之计,高手和有心人还是能识破此类方法,真正重要的东西还是要用专门的工具加密;但这种方法可以把很多入门的菜鸟和只是好奇、无心恶意侵入的人拒之门外,也算是个行之有效的数据安全助手。 Of course, this is only an expedient measure, expert and caring people can still see through such methods, the real important thing is to use a special tool for encryption; However, this method can put a lot of rookie and started just curious, careless people who refuse to malicious intrusion the outside, can be considered an effective data security assistant.
怎么样,您没想到自己从来没留意过的文件扩展名会有这么多名堂吧? How to, you did not expect to never pay attention to the file extension will be over so many tricks, right? 使用电脑时多动点脑子,您也会发现很多不为人知的技巧。 Fixed point when using the computer more than my mind, you will find many little-known techniques.
Tidak ada komentar:
Posting Komentar