NTFS file stream with RAR join forces to create free kill Trojan-vulnerability warning-the black bar safety net

ID MYHACK58:6220066183
Type myhack58
Reporter 佚名
Modified 2006-01-08T00:00:00


Maybe from the title you can know the article probably meant, good! Today I want to talk about is the NTFS file stream how to with WINRAR teamed up with“packers”Trojan.

Tip: the flow STREAM is NTFS under the concept, currently only NTFS supports streams. Stream attached to the file exists, can be in the stream stored in the 2-ary data, text or some other things. Each file can contain multiple streams, when the flow of the attachment file is deleted, the stream disappeared. Stream name and file name in the“to:”the partition, for example: ABC: A ABC is the file name, and stream name is“A.”when we operation stream, you can use the following simple method: ECHO STREAM1>ABC: STREAM1 ECHO STREAM2>ABC: STREAM2 Now, ABC will have a“: the STREAM1”and“: STREAM2”CO 2 stream, and read stream can be used: MORE <ABC: STREAM1 MORE <ABC: STREAM2

Nonsense not say, I first introduce herein the use of the tool: in order to convenient to write the file stream and write the VBS script(Together. vbs), it can put a file feel free to attached you want to attached the file, meaning that we can put our Trojan file into an obscure file. First of all how to use the tool to generate an attachment in the folder of the file stream, i.e. the stream file is named“to:*”form? First build an empty folder, such as“muma”, and then in the folder of the same directory on the run“together. vbs”, fill in the method shown in Figure 1: The first thing to fill is what you want to build the Trojan because I have no Trojans, had to find“webdav.exe”when Trojan, note that KV is going to kill Webdav. exe. Note that the Trojan's location and“together. vbs”in the same directory, otherwise there will be file not found the prompt, then we must fill is what you want to put your Trojan in accordance with in that file or folder is the best folder. If it is a folder it should be filled: for example, is attached to the“muma”is just the first step in the build folder of this folder, just write“muma”in. Fill after press“OK”to generate, it will prompt success. Well, the NTFS file is generated. Is this what our final results? This and the Black anti original description of NTFS data stream Trojan is the same reason, but with scripts only, there is nothing new! Don't forget the title of the article, we have RAR no use Oh!

Butterfly: is not feel a little accident? Every day with the WINRAR deal actually do not know it has this feature. Perhaps each of the Windows of Vulnerability in every day and dealing with people, and a few people find them?

The next step of the operation our main character“WINRAR”, we just use VBS to make a folder right click and select“Add to compressed file”. After that select the“Generate self-extracting package”then select the“Advanced”tab, came just now to Figure 4 where, according to Figure 4 as a tick“to save the file stream data”, and then came the“SFX options”in the“General”option. Note that in the“after extracting run”in the project according to the previously done Trojan to fill, such as“muma: a webdav.Exe”it. Here my focus is to explain how the joint WINRAR to construct Trojan horses, and other parameters according to personal preferences to fill in. Here, this Trojan basically ready, only one step: generate a self-extracting package, all the little mouse will be able to achieve. Below is my generated file to the running state. Isn't that a bit strange?“ WebDavScan”this program is running, in the process, but did not see the trace of it, only the“muma”this just generated from the unpacking process, may be the secret is in the inside. Since this app is KV2004 classified as a virus, we now look at the can find. If you are using WINRAR to pack The file streams, KV2004 is not check out, as for the memory also did not find anything abnormal, it seems that this method also works! But this article is only suitable for Windows 2 0 0 0 The above NTFS file partition format. Well, the file is a simple description here, everyone can now easily build your own is not to kill the Trojans!