See how windows creates a "no-check-free" trojan for your computer.

Source: Internet
Author: User

See how windows creates a "no-check-free" trojan for your computer.

IExpressIs a cab file used to modify the compatibility of the msi installation package, it is best to use other cab tools to package the file into a cab, and then replace it with the cab file in the msi, frequent errors, this does not solve this problem.

Recommended download:

Software Name:
IExpress (Microsoft self-decompressed package creation tool) 2.0 Chinese Green Edition
Software size:
Updated on:

Background: Microsoft

Function: used to create various tools for compressing and Uncompressing CAB packages.

Because it is a program that comes with Windows, the installation package has good compatibility. It can help the trojan transmitter to create a self-decompressed package that is not scanned and killed by anti-virus software. In general, it can also be disguised as a system software patch (such as IE hotfix) to confuse people.

Where can I find a bundle method or tool that will never be killed? As far as the sky and near the eyes. Don't forget to spend time with Windows. The bundling tool to be introduced this time is a small software IExpress (applicable to Windows 2000 and XP systems ).


IExpress uses a variety of different self-decompressed file technologies to package software update files. These self-decompressed packages can automatically run the EXE programs included in the program package. IExpress is a technology used by Microsoft to create software update packages for certain Microsoft Internet Explorer versions, certain Windows versions, and other products.

How can I determine whether an update package uses IExpress? The method is as follows:

1. Right-click the package and click "properties ".

2. on the General tab, view the description ". The software update package that uses IExpress technology contains "Win32 Cabinet Self-Extractor.

Actual Operation

In this section, I will explain in detail the entire process of bundling Trojans in the form of instances.

Step 1

In the "run" dialog box, enter IExpress to start the program (figure 1 ).

There are two options to choose from at the beginning: Create new Self Extraction ctictive file and open the saved Self-decompressed template. sed file (Open existing Self Extraction Directive file ). Select the first item and click "Next.

Step 2

Next, choose three packaging methods for creating a trojan self-decompressed package (figure 2). They are respectively creating a self-decompressed package and automatically installing the package (Extract files and run an installation command) create Extract files only and Create compressed files only ).

Because we want to decompress the trojan package, we should select the first one. After entering the title of the compressed package, click "Next.

Step 3

In the Confirmation prompt process, the software will ask if the user is prompted to confirm before the trojan program unpacks, because we are preparing a package for the trojan program to decompress, of course, the more concealed the better, select the first "No prompt" (No prompt), the purpose of this is to make the middle recruiters unprepared. Click the "Next" button and add a disguised user protocol to the "License agreement, select "Display a license" and click "Browse" to select an edited TXT file. This file can be edited in the name of Microsoft, click "Next" after setting ". This step aims to confuse your opponent and hide the Trojan installation process.

Step 4

Now, we enter the file list window (Packaged files ). Click the "Add" button in the window to Add a Trojan and a legal program to be bundled with the Trojan. Add a legal program based on the content of the edited protocol file. For example, if the protocol you created is related to the IE patch package, you can add the Trojan horse and a normal IE patch package.

Then, enter the installation Program selection window, and specify the files (Install Program) for which the package starts to run and the programs (post install command) for which the package starts to run ). For example, if you set a normal IE patch package in Install Program to run first, the trojan is not running at this time. In the middle recruit, it is indeed an IE patch package. Set the trojan program in the post install command, so that when the IE patch package is installed, the trojan program will be executed in the background, and our goal will be achieved.

Step 5

Next, select Show window ). Because our Trojan is bundled with the legal program, select "Default. Next, set the display of the prompt Statement (Finished message). Because we are using a Trojan to bundle the installer, we should select "No message ".

Step 6

After the preceding settings are complete, set the storage location and name of the Self-extracting program. Select "Hide File Extracting aniss Animation from User" to Hide the decompression process and Hide the command prompt box popped up when some Trojans are started. Finally, you can choose whether to restart (Configure reboot) after installing the software. If the trojan you use is "plug-and-play", select "No reboot". If the trojan is used to enable the terminal service, select "Always reboot ", also, select Do not prompt user before restart (Do not prompt user before reboot ).

After saving the settings you just made, click "Next" to start the trojan self-extracting program.

The entire production process is performed in DOS. After the completion level reaches 100%, a prompt window is displayed, and click "finish ", after the trojan program is bundled with the legal program (in the format of EXE), you can directly double-click it to run it. Check it with anti-virus software. How is it? It won't be detected at all.

What are you waiting? Use the webpage Trojan propagation technology or the trojan E-book technology introduced by Trojan scan to publish your Trojan. Of course, you can also send it to others as an important patch of IE.

We don't need third-party tools, and we don't need too much shell camouflage to enable "Windows" to serve us and bind Trojans to us.

Preventive Measures

You can first check whether the suspicious package uses the IExpress Technology (introduced in the "principles" section ). If you use the IExpress technology, you have to pay attention to it. At this time, you can enter the command prompt and use the "IExpress/c" command to decompress the file (without installation) to check whether there is a trojan in the package, you can also add the parameter "/t: path" to specify the decompression path.


Ordinary users should be vigilant. Many Trojan makers learn about users' fear of vulnerabilities and use the user's psychological opportunity to intrude into the latest patches. In seemingly legitimate patches, trojan programs are very likely to be hidden. Therefore, we would like to remind you not to download Patch packages from unofficial sites of operating systems and software, because these packages are likely to be fake packages bound with malicious programs.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.