NTFS file stream with WinRAR teamed up to create free to kill Trojan-vulnerability warning-the black bar safety net

ID MYHACK58:6220067610
Type myhack58
Reporter 佚名
Modified 2006-03-04T00:00:00


Maybe from the title you can know the article probably meant, good! Today I want to talk about is the NTFS file stream how to with WINRAR teamed up with“packers”Trojan.

Tip:stream(STREAM)is NTFS under the concept, currently only NTFS supports streams. Stream attached to the file exists, can be in the stream stored in the 2-ary data, text or some other things. Each file can contain multiple streams, when the flow of the attachment file is deleted, the stream disappeared. Stream name and file name with“:”separator, for example:ABC:A. ABC is the file name, and stream name is“A.”when we operation stream, you can use the following simple method:



Now, ABC will have a“:STREAM1”and“:STREAM2”CO 2 stream, and reads out the stream you can use:


Nonsense not say, I first introduce herein the use of the tool:in order to convenient to write the file stream and write the VBS script(Together. vbs), it can put a file feel free to attached you want to attached the file, meaning that we can put our Trojan file into an obscure file.

First of all how to use the tool to generate an attachment in the folder of the file stream, i.e. the stream file name“:*”form? First build an empty folder, such as“muma”, and then in the folder of the same directory on the run“together. vbs.” The first thing to fill is what you want to create Trojan horse(since I have no Trojans, had to find“webdav.exe”when Trojan, note that KV is going to kill Webdav. exe Oh)。 Note that the Trojan's location and“together. vbs”in the same directory, otherwise there will be file not found the prompt, then we must fill is what you want to put your Trojan in accordance with in that file or folder(preferably a folder). If it is a folder it should be filled:for example, is attached to the“muma”(just the first step to build the folder)of this folder, just write“muma”in. Fill after press“OK”to generate, it will prompt success.

Well, the NTFS file is generated. Is this what we the end result? This and the Black anti original description of NTFS data stream Trojan is the same reason, but with scripts only, there is nothing new! Don't forget the title of the article, we have RAR no use Oh!

Butterfly:isn't that a little unexpected? Every day with the WINRAR deal actually do not know it has this feature. Perhaps each of the Windows of Vulnerability in every day and dealing with people, and a few people find them?

The next step of the operation our main character“WINRAR”, we just use VBS to make a folder right click and select“Add to compressed file”.

After that select the“Generate self-extracting package”then select the“Advanced”tab, came just now to Figure 4 where, according to Figure 4 as a tick“to save the file stream data”, and then came the“SFX options”in the“General”option. Note that in the“after extracting run”in the project according to the previously done Trojan to fill, such as“muma:webdav.Exe”it. Here my focus is to explain how the joint WINRAR to construct Trojan horses, and other parameters according to personal preferences to fill in.

Here, this Trojan basically ready, only one step:generate a self-extracting package, all the little mouse will be able to achieve. Below is my generated file to the running state.

Isn't that a bit strange?“ WebDavScan”this program is running, in the process, but did not see the trace of it, only the“muma”this just generated from the unpacking process, may be the secret is in the inside. Since this app is KV2004 classified as a virus, we now look at the can find.

If you are using WINRAR to pack The file streams, KV2004 is not check out, as for the memory also did not find anything abnormal, it seems that this method also works! But this article is only suitable for Windows 2 0 0 0 The above NTFS file partition format.

Well, the file is a simple description here, everyone can now easily build your own is not to kill the Trojans!