Discover the Trojans bound with WinRAR

With the improvement of people's security awareness, the survival of Trojans has become increasingly a problem. Of course, Trojan growers are unwilling to detect trojans. Therefore, they have come up with many ways to disguise and hide their own behaviors, bundling Trojans with WinRAR is one of the methods. So how can we identify a trojan in it? This article describes this issue.

Attackers can place Trojans and other executable files, such as Flash animation, in the same folder, and then add these two files to the file, create an auto-release file in exe format. In this way, when you double-click the auto-release file, it will quietly run the trojan file while starting Flash Animation and other files! In this way, the purpose of Trojan growers is to run the Trojan server program. This trick is very effective, making it difficult for the other party to notice. Because there are no obvious signs, It is very common to use this method to run Trojans. To exploit this disguise and understand its production process, let's look at an example.


The following describes how to bind a Trojan with an instance. The goal is to bundle a Flash Animation (1.swf)and Trojan service end file (1.exe) into a self-release file. If you run this file, it will be a Trojan while displaying the Flash animation! The specific method is: Pull (as long as it is easy to attract others to click ). Otherwise, the file extension name must be. exe( ...........rar. You must change the file name to. rar. Otherwise, you cannot proceed to the next step.

Next, click the "advanced" tab and click the "SFX Options" button (Figure 3). the "advanced auto release options" dialog box appears (figure 4 ), in the "Release path" column of the dialog box, enter C: Windowsemp. In fact, you can enter the "Release path", even if the folder you set does not exist, this is because the directory is automatically created during self-decompression. Input 1.exe In the runtime after release, that is, enter the name of the Trojan file to be concealed by the attacker.

Next, click the "Mode" tab and select "hide all" and "overwrite all files" in this tab (Figure 5). This is not only safe, but also hidden, it is not easy to discover. If you want to, you can change the title and icon of the self-released file, and click "text and icon" (figure 6 ), enter the content you want to display in the "self-release file window title" and "display text for the Self-release file window" on this tab, which is more deceptive, it is easier to be fooled. Finally, click "OK" to return to the "file name and Parameters" dialog box.

Next, click the "comment" tab and you will see the content (Figure 7). This is the content automatically added by WinRAR according to your previous settings. It is actually a self-release script command. Among them, C: windowsempstands for self-decompressed, and setup00001.exe release, and then run the 1.exe file, that is, the trojan Server File. The Silent and Overwrite indicate whether to hide and Overwrite files, respectively. If the value of 1 indicates "hide all" and "Overwrite all files ". Generally, for the sake of concealment, the trojan owner will modify the above self-release script command. For example, they will change the script to the following content:

Path = c: windowsemp
Setup00001.exe
Setupdomainassumer.exe 1.swf
Silent = 1
Overwrite = 1

After careful consideration, it is actually added to the setup00000000er.exe pipeline that has quietly run! What's more terrible is that you can change the default icon of the Self-extracting file in WinRAR. If you change it to the icon of the software you are familiar with, is it more dangerous for everyone?

The self-decompressed File Created by WinRAR can be used not only to load concealed Trojan server programs, but also to modify the registry of the other party. For example, attackers can write a file named change. reg. To save the file as a del.exe file. Note that the following content should be written in the "comment" during the production process:

Path = c: Windows
Setup = regedit/s change. reg
Silent = 1
Overwrite = 1

After the installation is complete, click confirm button to create a Winrar self-extracting program named del.exe. Double-click the program to run the file, and no prompt information will be prompted when the registry is imported (this is why the "/s" parameter is added to regedit) modify the registry key value and change. reg is copied to the C: Windows folder. Now your registry has been modified! The attacker can also bind the self-decompressed file del.exe with a Trojan server program or a hard disk bomb with WinRAR and then create a self-decompressed file, which poses a greater threat to everyone! Because it can not only damage the registry, but also damage the hard disk data. Is it terrible?

From the above examples, it is not hard to see that WinRAR's self-extracting function is really powerful, and it can make very malicious programs in a short time for non-programmers. In addition, many popular anti-virus software and trojan detection and removal software cannot detect any problems in self-extracting files containing Trojans or malicious programs! If you don't believe it, you can do a test to get the result.

How can we identify Trojans bound with WinRAR? As long as you can find that the self-released file contains multiple hidden files, especially multiple executable files, you can determine that it contains Trojans! How can we know which files are contained in the self-released file? A simple way to identify this is to right-click the WinRAR self-release file and select "properties" from the pop-up menu ", in the "properties" dialog box, you will find two more labels than ordinary EXE files: "file" and "comment" (Figure 8). Click the "comment" tab, by looking at the comments, you will find out which files are contained in them, so that you can be aware of them. This is the best way to identify bind trojan files with WinRAR.

Finally, I will tell you a precaution. Do not run the self-extracting program directly, but select "open with WinRAR" in the right-click menu. In this way, you will find out what is in the file.