Case analysis:use WinRAR to decrypt the Trojan bundled principle-vulnerability warning-the black bar safety net

2005-12-28T00:00:00
ID MYHACK58:6220055874
Type myhack58
Reporter 佚名
Modified 2005-12-28T00:00:00

Description

Today friends suddenly want my help, saywebgame legendary world of the number stolen, because the friend is online at home, excluded in public placesaccountand the password is don't the others cast a glance view of the possible. According to the friends said, in the stolen before an hour, in the online download a friends photo, and open to browse, but there really are users of the photo, and is using“Windows picture and Fax viewer”to a friend's house is a XP system to open, this also can certainly certainly be a picture file. 朋友 还 告诉 笔者 后缀 名 是 .gif that obviously is a picture file, the friend's computer does not install the antivirus, and the most important is that the file has not deleted it.

The author will let a friend put that file through QQ sent over, time to send the author of the QQ show file name was found in that file is not gif file, but the exe file, the file name is: 我的照片.gif.exe and its icon is the image file of the icon, see Figure 1. The author thinks that the friend's computer should open the“Hide extensions for known file types”and you can in“my computer”in the Menu“Tools→folder Options→View→advanced settings”in the settings, shown in Figure 2, So tell me the extension is gif. The author inadvertently right point under this document, can be found using“WinRAR open”, so the author just used WinRAR to open, 发现里面含有两个文件--我的照片.gif和server.exe be sure that the server. exe is Trojan, that is, friends Pirates of the legendary World No. the culprit.

!

!

Since you can directly use WinRAR to open the, the author concludes that it is by WinRAR made, now the author begins to decrypt its production process. Must first have the image file ico(icon file, you can use other software to extract, the author is not herein described in detail the process, as shown in Figure 3. Put the picture files and Trojans are all selected, right point, select“Add to archive”in the WinRAR options, shown in Figure 4, in the“archive name”then enter compressed file name, for example: 我的照片.gif.exe suffix if for. exe can be executed directly, if not. rar it will open in WinRAR, 所以这里最后的后缀为.exe according to your own need to select“compression”, then click on the“Advanced”tab, select“SFX options”, see Figure 5, in the“release path”fill you need to extract the path, the author here, fill in the“%systemroot%emp”NOT including the quotation marks, indicates decompression to the system installation directory under the temp Temporary Files folder, and in the“setup”of the“release after running the”input“server.exe”NOT including the quotation marks, in the“pre-release run of”input“我 的 照片 .gif”NOT including the quotation marks.

!

!

!

Thus in the decompression before it will open my photos. gif this file, causing the friends to file is determined by the illusion will believe that it is a picture file, and the release after will beautoto run the Trojan(即 server.exe in. In the“mode”tab of the“silence mode”, select“Hide All”, the“cover mode”select the“overwrite all files”in the“text and icon”tab of the“Customize SFX icon”, loaded just the pictures files the ico file, and then click the“OK”button, so that the seamless production of a bundle of pictures of the Trojan. When you open this file, it will first run the image file, and thenautoto open the Trojan file, the intermediate does not appear any message.

Note: I hope the majority of friends do not for illegal purposes, where the decryption Trojans bundled is want us to know its principles.