How to bind a Trojan with WinRAR

Today, my friend suddenly asked me for help, saying that the legend of online games had been stolen. Because my friend was surfing the internet at home, he ruled out the possibility that the account and password in public places could be ignored by others. According to a friend, a photo of a netizen was downloaded from the Internet more than an hour before the theft and browsed. However, a photo of a netizen actually appeared, and it is opened with "Windows Image and fax viewer" (friend's house is an XP System), which must be an image file. The pen extension is .gif, which is obviously an image file. A friend's computer does not have anti-virus software installed, and the most important thing is that the file has not been deleted. Today, my friend suddenly asked me for help, saying that the legend of online games had been stolen. Because my friend was surfing the internet at home, he ruled out the possibility that the account and password in public places could be ignored by others. According to a friend, a photo of a netizen was downloaded from the Internet more than an hour before the theft and browsed. However, a photo of a netizen actually appeared, and it is opened with "Windows Image and fax viewer" (friend's house is an XP System), which must be an image file. The pen extension is .gif, which is obviously an image file. A friend's computer does not have anti-virus software installed, and the most important thing is that the file has not been deleted.

I asked my friend to send the file via QQ. When I sent it, I found that the file in the QQ display file name was not a gif file, but an exe file, and the file name was: My photo .gif.exe, and its icon is also the icon of the image file, as shown in figure 1. In my opinion, my friend's computer should have opened "Hiding extensions of known file types" (you can choose "Tools> Folder Options> View> Advanced Settings" in the "my computer" menu to set, see figure 2, so tell me the suffix is gif. I accidentally clicked this file on the right and found that the "WinRAR open" hacker is a Trojan, which is the culprit for stealing the legend of the world.

Since it can be opened directly with WinRAR, the author concluded that it was made by WinRAR, and now the author began to decrypt its production process. First, we need to have the ico (icon) file of the image file (which can be extracted using other software, so I will not describe the detailed process here), 3. Select the image file and Trojan file, and click "add to file" (WinRAR option) on the right. See figure 4. Enter the compressed file name in "file name, for example, select "compression mode" based on your needs, click the "advanced" tab, and select "SFX option", as shown in Figure 5, in "Release path", enter the path you want to decompress. Here, I fill in "% systemroot % \ temp" (excluding quotation marks ), decompress the package to the temp (temporary file) folder under the system installation directory, and run "enter" server.exe "(excluding quotation marks) after" Installer "is released ), run "input" My photos. GIF "(excluding quotation marks) before" release ).

). In the "Mode" tab, select "hide all" in "silent mode", and "overwrite all files" in "Overwrite mode ", in the "Custom SFX icon" under the "text and icon" tab, load the ico file of the image file you just prepared, and then click "OK, in this way, Tianyi seamlessly creates a trojan that binds images. When this file is opened, the image file is run first, and then the trojan file is automatically opened. No prompt is displayed in the middle.

Note: we hope that you will not use the trojan for illegal purposes. Here, we hope that you will understand the principles of the decryption Trojan bundle.