www.rising.com.cn 2004-9-23 10:04:00 Information Source: NEW YORK Author: Chen Cheng Today I want to help a friend suddenly said number of online game World of Legend was stolen, because the friend is at home online, Exclude the possibility of others in public places and passwords. According to the friend, I downloaded a photo of a netizen in the Internet, and opened the browsing, but the appearance is the photo of the netizen, and it is "Windows Pictures and Fax Viewer" (friends " Home is XP system) Open, which is certain that it must be a picture file. Friends also told the author's name .gif, it is obviously a picture file, a friend's computer has not installed anti-virus software, and the most important thing is that the file has not been deleted. The author let the friend send that file through QQ, when the author found that the file was not a gif file in the QQ display file name, but the exe file, the file name is: My photo .gif.exe, and Its icon is also an icon of a picture file, see Figure 1. The author thinks that a friend's computer should open "Extension of the Type of Known Files" (you can set up in "My Computer" menu "Tools → Folder Items → View → Advanced Settings", see Figure 2, so tell I was gif. The author accidentally turned to this file. I found that I can open it with "WinRAR", so I opened it with WinRAR, I found two files - my photo .gif and Server.exe, It is certain that this server.exe is a Trojan, which is the culprit of a friend's legendary world number.
figure 1
figure 2
Since I can open it directly with WinRAR, the author concludes that it is made by WinRAR, and now the author starts to decrypt its production process. First there must be an ICO (icon) file of the picture file (I can use other software extraction, the author doesn't tell the detailed process), as shown in Figure 3. Select the picture file and Trojans, select "Add to Archive" (WinRAR option), see Figure 4, in the "Archive File Name", the compressed file name, such as my photo .gif If it is .EXE, if it is .exe, you can do it directly. If it is not .rar will open WinRAR, so the last suffix here is .exe, select "Compressed Method" according to your needs, then click "Advanced" Tag, Select " SFX Options, see Figure 5, fill in the path you need to decompress in the "Release Path", the author fills "% systemroot% / TEMP" (excluding quotation marks), indicating that the decompressed TEMP in the system installation directory (Temporary file) Folder, and "Server.exe" in "Server.exe" in the "Installer", "I do not include the quotation mark", "I am running", "I don't include quotation marks" ).
image 3
Figure 4
Figure 5
This will open my photo. GIF this file before decompression, resulting in a fantasy of a friend to determine the file, will think it is a picture file, while the Trojan (ie, Server.exe) is automatically run after the release. Select "All Hidden", "Overlay mode" in "Mode" tag, "Custom SFX Icon" label in the "Text and Icon" tab, loaded into the "Custom SFX Icon" tab that "Text and Icon" tag. The ico file of the image file, then click "OK", so that it is seamlessly created a troh of tip of the picture. When this file is opened, you will run the image file first, and then automatically open the Trojan file, there will be no prompts in the middle. Note: I hope that the majority of friends don't do illegal use. I will decrypt Trojan here. I hope everyone knows its principles.
