Using WinRAR to decrypt the principle of Trojan bundling

Today, my friend suddenly wants me to ask for help, saying that the number of online game legendary world has been stolen, because friends are surfing the Internet at home, excluding the possibility that the account and password in public places are despised by others. . According to a friend, more than an hour before the theft, I downloaded a photo of a netizen on the Internet and opened the browse, but it was indeed a photo of the netizen, and it was using the "Windows Picture and Fax Viewer" (friend Home is XP system) open, this can certainly be a picture file. The friend also told the author that the suffix is ​​.gif, which is obviously a picture file, and the friend's computer does not have anti-virus software installed, and the most important thing is that the file has not been deleted.

The author asked the friend to send the file through QQ. When I sent it, I found that the file was not a gif file but the exe file in the QQ display file name. The file name is: my photo .gif.exe, and its icon is also an icon for the image file, as shown in Figure 1. I think that my friend's computer should open the "Hide extension of known file types" (you can set it in the "My Computer" menu "Tools → Folder Options → View → Advanced Settings", as shown in Figure 2, so tell My suffix is ​​gif. The author accidentally clicked on this file and found that it can be opened with "WinRAR", so I opened it with WinRAR and found that it contains two files - my photo .gif and server.exe, It is certain that this server.exe is the Trojan, which is the culprit of the Friends of the World.
Since it can be opened directly with WinRAR, the author concludes that it was made by WinRAR, and now I will begin to decrypt its production process. To have an ico (icon) file of the image file (you can use other software to extract, I will not tell you the detailed process here), as shown in Figure 3. Select the image file and the Trojan, right click and select "Add to Archive" (WinRAR option), see Figure 4, enter the compressed file name in the "archive file name", such as: my photo.gif.exe, suffix It can be executed directly for .exe. If it is not.rar, WinRAR will be opened, so the last suffix here is .exe. Select "compression method" according to your needs, then click the "Advanced" tab and select "SFX option". Figure 5, fill in the path you need to extract in the "release path", the author here is filled with "%systemroot%\\temp" (excluding quotes), indicating that the temp (temporary file) file is extracted to the system installation directory Under the folder, and enter "server.exe" (without the quotation marks) in "Run after release", enter "My Photo.gif" (without the quotation marks) in "Run before release".

This will open my photo .gif file before unzipping, causing the illusion that a friend judges the file, it will be considered as an image file, and will automatically run the Trojan (ie server.exe) after the release. Select "Hide All" in "Silent Mode" of the "Mode" tab, select "Overwrite All Files" in "Overlay Mode", and "Custom SFX Chart" in the "Text and Icon" tab. ", load the ico file of the image file you just prepared, and then click "OK", so that a trojan that bundles the picture is seamlessly created. When the file is opened, the image file will be run first, then the Trojan will be automatically opened. Documents, there will be no prompts in the middle.

Note: I hope that the majority of friends do not use illegal purposes, here to decrypt the Trojan bundle is to hope that everyone understands its principles.