Super hide Extentions on Windows (Part 2)
=============================================================================
Hi
About three mounths ago i have written small tutor about Super hide Extentions on Windows
and talked about one of this Extentions (.PIF) ,you can read that at link below:
http://www.boot-land...?showtopic=4523
And i saied there that i will continue this page and will talk about some other kinds of
them but really ,i had some other works and i have forgotten that.I am sorry for that
lets continue our discussion about Super hide Extentions on Windows.
=============================================
Making Dangerous shortcut by .PIF Extention
=============================================
Note: When you create a shortcut to an MS-DOS-based program ,you are making a PIF file.
This shortcut can be very dangerous that i will show you in this tutor.
PIF file is not an Actual file,in real world it is a shortcut,and this shortcut can contain
hidden executable modules ( for example BAT, EXE or COM programs).
I can say if you get Pif files in your Email,I think mostly it is at least part of a virus
or trojan.
To see how this file can be dangerous lets make one of them together.
1.Copy calc.exe from your system32 directory to C:\
2.Right click on empty section of desktop,select new,then,shortcut.A page will be appeiered
In this pge click Brows and select c:\calc.exe (As you see in fig_1 in attachment).
2.Click next,you will see another window ,at "Type a name for this short cut" section ,type
Notepad (See in fig_2) then click finish button.The shortcut for calc.exe (of course by
name of "Notepad" will be created in desktop (see fig_3).
3.Now Change the Icon of this shortcut by txt shortcut as fig_4.
4.At this time we have icon of text file and if we double click on that the C:\calc.exe
will be run.
Yes this is not strange and is not dangerous,but what about the time that a virus writer
Does the same process ,but in second process (fig_1),instead of writing c:\calc.exe, writes
format d:
What will happen ? user will think this is a text file,will run it and in few seconds he will
loose all contents of drive D:
so be careful,i tryed to say it in sample way.
=============================================
.SHS Extention
=============================================
.SHS is an extention that even if you unhide all extentions on window,the system will not
show this extention (i will tell how to show this extention).
This file can be used by virus or trojan writers and can be very dangerous too.
.SHS stands for Shell Scrap.By using a Shell Scrap, you can include any file you want, even an
executable, in a Word document, and the system will open it for you.
One can change it's icon and can use it as virus to heart you.
Lets try to make an .shs extention file to know it better :
1.Open Wordpad.
2.go to your system32 directory and drag Calc.exe from there and drop it in Wordpad window
(see fig_5).
3.Go to "Edit" (in WordPad menu) and select "Package Edit" ,then click on "Edit Package"
(see fig_6)
4.A window (see fig_7) will be shown.go to edit menu in this window and click on "command line"
(see fig_8).
5.A command window will be appeiered ,Write your command over there for example type: format d:
(see fig_9) and click OK then go to file in menue and click on "update and close that window.
6..Click on "Calc.exe" inside wordpad and drag it down to D:\ you will have the file d:\Scrap
7.Create shortcut for scrap and place it in desktop,then change it's icon to text icon and also
rename it to readme.txt.
8.Now if you run this shortcut (readme.txt),it will format your drive D:
---------------------------------------------
May be if we unhide all extentions in windows,we will have less problems with a lot of worms,
trojans,viruses and els...
On the other way we know that Even when you have configured Windows to display all file extensions,
there are still some which remain hidden. This allows potentially dangerous files to be masked
as safe files, fooling the user into executing them.
Do as below to unhide most extentions in windows:
1.Normally unhide all extention (by going to tools/view/ in menu enabling "show hidden files
and folders" and also unenabling "hide extentions for ..." and also unenabling "hide protected
opera....").
2.Search registry for occurance of a value named "NeverShowExt" and delete the value "NeverShowExt".
Note: Editting registry is dangerous,if you are not familiare by that,it can make your system
to work bad or not work.so do it with your own risk.
3.For our tutor ".shs extention address is at:
HKEY_CLASSES_ROOT\shellscrap\nevershowext
HKLM\software\classes\shellscrap\nevershowext
4.Some other common hidden extensions are in :
Document Shortcut (.SHB) ___ [HKEY_CLASSES_ROOT\DocShortcut]
Internet Shortcut (.URL) ___ [HKEY_CLASSES_ROOT\InternetShortcut]
File Shortcut (.LNK) ___ [HKEY_CLASSES_ROOT\lnkfile]
DOS Shortcut (.PIF) ___ [HKEY_CLASSES_ROOT\piffile]
Explorer Command (.SCF) ___ [HKEY_CLASSES_ROOT\SHCmdFile]
Shell Scrap Object (.SHS) ___ [HKEY_CLASSES_ROOT\ShellScrap]
=============================================================================
There are a lot to talk about,and this is just small notations.
Hope will help some
shirin zaban
Attached Files
-
a.png 41.68KB
176 downloads
