Use WinRAR to bind Trojans

With the improvement of people's security awareness, the survival of Trojans has become increasingly a problem. Of course, Trojan growers are unwilling to detect trojans. Therefore, they have come up with many ways to disguise and hide their own behaviors, bundling Trojans with WinRAR is one of the methods. So how can we identify a trojan in it? This article describes this issue.
Attackers can place Trojans and other executable files, such as flash animation, in the same folder, and then add these two files to the file, create an auto-release file in EXE format. In this way, when you double-click the auto-release file, it will quietly run the trojan file while starting Flash Animation and other files! In this way, the purpose of Trojan growers is achieved, that is, running the Trojan server Program . This trick is very effective, making it difficult for the other party to notice. Because there are no obvious signs, It is very common to use this method to run Trojans. To exploit this disguise and understand its production process, let's look at an example.
The following describes how to bind a Trojan with an instance. The goal is to bundle a Flash Animation (1.swf)and Trojan service end file (1.exe) into a self-release file. If you run this file, it will be a Trojan while displaying the Flash animation! The specific method is: Pull (as long as it is easy to attract others to click ). Then, the file extension name must be .exe( ..............( Fig 2). You must change the file name to .rar. Otherwise, you cannot proceed to the next step (figure 2)
(Figure 1)
(Figure 2)
Next, click the "advanced" tab and click the "SFX Options" button (Figure 3). the "advanced auto release options" dialog box appears, in the "Release path" column of the dialog box, enter c: \ windows \ Temp (Figure 4). In fact, you can enter the "Release path" as needed, even if the folder you set does not exist, it does not matter because the directory will be automatically created during self-decompression. Input 1.exe In the runtime after release, that is, enter the name of the Trojan file to be concealed by the attacker.
(Figure 3)
(Figure 4)
Next, click the "Mode" tab and select "hide all" and "overwrite all files" in this tab (Figure 5). This is not only safe, but also hidden, it is not easy to discover. If you want to, you can change the title and icon of the self-released file, and click "text and icon" (figure 6 ), enter the content you want to display in the "self-release file window title" and "display text for the Self-release file window" on this tab, which is more deceptive, it is easier to be fooled. Finally, click "OK" to return to the "file name and Parameters" dialog box.
(Figure 5)
(Figure 6)
Next, click the "comment" tab and you will see the content (Figure 7). This is the content automatically added by WinRAR according to your previous settings. It is actually a self-release script command. Among them, c: \ windows \ temprepresents self-decompressed, setup00001.exerelease, and then run the 1.exe file, that is, the trojan Server File. The silent and overwrite indicate whether to hide and overwrite files, respectively. If the value of 1 indicates "hide all" and "overwrite all files ". Generally, for the sake of concealment, the trojan owner will modify the above self-release script command. For example, they will change the script to the following content:
(Figure 7) program code Path = c: \ windows \ temp
Setup00001.exe
Setupdomainassumer.exe 1.swf
Silent = 1
Overwrite = 1

After careful consideration, it is actually added to the setup00000000er.exe pipeline that has quietly run! What's more terrible is that you can change the default icon of the Self-extracting file in WinRAR. If you change it to the icon of the software you are familiar with, is it more dangerous for everyone?

The self-decompressed File Created by WinRAR can be used not only to load concealed Trojan server programs, but also to modify the registry of the other party. For example, attackers can write a file named change. Reg. To save the file as a del.exe file. Note that the following content should be written in the "comment" during the production process: program code Path = C: \ WINDOWS
Setup = Regedit/s change. Reg
Silent = 1
Overwrite = 1

After the installation is complete, click confirm button to create a WinRAR self-extracting program named del.exe. Double-click the program to run the file, and no prompt information will be prompted when the registry is imported (this is why the "/s" parameter is added to Regedit) modify the registry key value and change. reg is copied to the C: \ Windows folder. Now your registry has been modified! The attacker can also bind the self-decompressed file del.exe with a Trojan server program or a hard disk bomb with WinRAR and then create a self-decompressed file, which poses a greater threat to everyone! Because it can not only damage the registry, but also damage the hard disk data. Is it terrible?
From the above examples, it is not hard to see that WinRAR's self-extracting function is really powerful, and it can make very malicious programs in a short time for non-programmers. In addition, many popular anti-virus software and trojan detection and removal software cannot detect any problems in self-extracting files containing Trojans or malicious programs! If you don't believe it, you can do a test to get the result.
So how can we identify the Trojans bound with WinRAR? As long as you can find that the self-released file contains multiple hidden files, especially multiple executable files, you can determine that it contains Trojans! How can we know which files are contained in the self-released file? A simple way to identify this is to right-click the WinRAR self-release file and select "properties" from the pop-up menu ", in the "properties" dialog box, you will find two more labels than ordinary EXE files: "file" and "comment" (Figure 8). Click the "comment" tab, by looking at the comments, you will find out which files are contained in them, so that you can be aware of them. This is the best way to identify bind trojan files with WinRAR.
(Figure 8)
Finally, I will tell you a precaution. Do not run the self-extracting program directly, but select "open with WinRAR" in the right-click menu. In this way, you will find out what is in the file.

Topic 2: How Trojans are bundled with WinRAR
Today, my friend suddenly asked me for help, saying that the legend of online games had been stolen. Because my friend was surfing the internet at home, he ruled out the possibility that the account and password in public places could be ignored by others. According to a friend, a photo of a netizen was downloaded from the Internet more than an hour before the theft and browsed. However, a photo of a netizen actually appeared, in addition, it is opened with "Windows Image and fax viewer" (a friend's house is an XP System), which must be an image file. The pen extension is .gif, which is obviously an image file. A friend's computer does not have anti-virus software installed, and the most important thing is that the file has not been deleted.
I asked my friend to send the file via QQ. When I sent it, I found that the file in the QQ display file name was not a GIF file, but an EXE file, and the file name was: My photo .gif.exe, and its icon is also the icon of the image file, as shown in figure 1. In my opinion, a friend's computer should have opened "Hide extensions of known file types" (you can choose "Tools> Folder Options> View> Advanced Settings" in the "my computer" menu., see figure 2, so tell me the suffix is GIF. A hacker is a Trojan, or the culprit for stealing the legend of the world.

Figure 1

Figure 2
Since it can be opened directly with WinRAR, the author concluded that it was made by WinRAR, and now the author began to decrypt its production process. First, we need to have the ICO (icon) file of the image file (which can be extracted using other software, so I will not describe the detailed process here), 3. Select the image file and Trojan file, and click "add to file" (WinRAR option) on the right. See figure 4. Enter the compressed file name in "file name, for example, select "compression mode" based on your needs, click the "advanced" tab, and select "SFX option", as shown in Figure 5, in "Release path", enter the path you want to decompress. Here, I fill in "% SystemRoot % \ packages" (excluding quotation marks ).

Figure 3

Figure 4

Figure 5
). In the "Mode" tab, select "hide all" in "Silence mode", and select "overwrite all files" in "Overwrite mode ", in the "Custom SFX icon" on the "text and icon" tab, load the ICO file of the image file you just prepared, and click "OK, in this way, Tianyi seamlessly creates a trojan that binds images. When this file is opened, the image file is run first, and then the trojan file is automatically opened. No prompt is displayed in the middle.
Note: we hope that you will not use the trojan for illegal purposes. Here, we hope that you will understand the principles of the decryption Trojan bundle.

Topic 3: Use WinRAR to parse the bundle of the Trojan-Addendum

After reading the BIND of parsing Trojans with WinRAR, you may have a question: Sometimes you may encounter WinRAR self-extracting files, after self-extracting, multiple files are run at the same time (bind a Trojan with WinRAR parsing .), For example, if some Trojans run the client, they also run several destructive programs at the same time, which is troublesome to scan and kill.
In fact, it is very easy to run multiple files after self-extracting. Create a file by following the article "bind a Trojan with WinRAR Parsing", select "comment" in the "file name and Parameters" dialog box, and enter the program code setup0000a.exe.
Setupdomainb.exe
Setup=c.exe

(Do not include quotation marks ..). "A.exe", "B .exe", and "c.exe" are the programs that run after self-decompression, but they must be in the Self-extracting file package. Of course, it can be neither a program nor any file (for example: Program .). Of course, there is no limit on the number of files running at the same time. Just add "setup =" as long as you want to run it. Click "OK" to create the self-decompressed file.

In fact, it can also make multiple files (it's good to use shortcuts !) Merge it into the same self-decompressed file, but you only need to run one self-decompressed file while running multiple files at the same time. "lazy" can try it. It's good to have a prank.