Using WinRAR to analyze the bundling principle of Trojan virus _ Web surfing

Today, my friend suddenly wanted to call me for help, saying that the legendary world of online games has been stolen, because friends are at home on the Internet, excluding the number in public places and passwords are other people to glance at the possibility. According to friends, in the first one hours before the theft, downloaded a photo of a netizen online, and opened the browse, but the appearance is indeed a photo of the netizen, and is used "Windows Picture and Fax Viewer" (Friend home is XP system) Open, this can certainly be a picture file. My friend also told me that the suffix name is. gif, apparently a picture file, a friend's computer does not have antivirus software installed, and the most important thing is that the file has not been deleted. Today, my friend suddenly wanted to call me for help, saying that the legendary world of online games has been stolen, because friends are at home on the Internet, excluding the number in public places and passwords are other people to glance at the possibility. According to friends, in the first one hours before the theft, downloaded a photo of a netizen online, and opened the browse, but the appearance is indeed a photo of the netizen, and is used "Windows Picture and Fax Viewer" (Friend home is XP system) Open, this can certainly be a picture file. My friend also told me that the suffix name is. gif, apparently a picture file, a friend's computer does not have antivirus software installed, and the most important thing is that the file has not been deleted.

The author then let a friend of that file through QQ sent over, send the author in the QQ display file name found that file is not GIF file, but EXE file, filename is: my photos. Gif.exe, and its icon is also picture file icon, see Figure 1. The author thinks that a friend's computer should have the "Hide extensions of known file types" (you can set it in the "My Computer" menu, tools → folder options → view → advanced settings), see Figure 2, so tell me the suffix name is gif. The author accidentally right point down this file, found that you can use "WinRAR open", so the author opened with WinRAR, found that contains two documents-- My photos. gif and Server.exe, you can be sure that this server.exe is a trojan, that is, the legend of Friends of the world's biggest culprit.

Because it can be opened directly with WinRAR, the author concluded that it was made by WinRAR, and now the author began to decrypt its production process. First of all, there is the ICO (icon) file of the picture file (which can be extracted using other software, the author is not here to describe the detailed process), as shown in Figure 3. Select the picture files and Trojans, right, choose "Add to Profile" (WinRAR option), see Figure 4, in "File file name" that input compressed file name, For example: My photo. gif.exe, suffix if it is an. exe can be executed directly, if not. rar will open the WinRAR, so the final suffix here is. exe, select "Compression mode" according to your own needs, then click on "Advanced" tab, select "SFX option", see Figure 5, in the " Release path "to fill in the path you need to extract, the author here is"%Systemroot%\Temp "(excluding quotes), means that the solution to the system installation directory under the TEMP (temporary files) folder, and in the" installer "after the release of the" input "Server.exe (not including quotes), run before releasing, enter my photos. gif (excluding quotes).

This will open my photo before decompression. gif this file, resulting in a friend of the document to judge the illusion that it is a picture file, and after the release will automatically run Trojan horse (that is, Server.exe). In the Mode tab, in silent mode, select Hide all, overwrite by "Select Overwrite all Files", "Custom SFX icon" in the "Text and Icon" tab, load the ICO file of the picture file you just prepared, and click OK. This is the seamless production of a bundle of pictures of the Trojan. When you open this file, you will first run the picture file, and then automatically open the Trojan file, the middle will not appear any prompts.

Note: Hope that the majority of friends do not carry out illegal use here, decryption Trojan bundle is the hope that we understand its principle.