Beyond good ol’ Run key, Part 20

January 1, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis

Visual Basic is a goldmine when it comes to legacy code and some weird stuff (one example is – which doesn’t really matter for this post, but it’s just worth mentioning – that anytime a VB application exits it tries to find a .hlp file f.ex. \windows\system32\.hlp and if it finds it it will try to open it using a WinHelp API).

Anyway. In today’s post we describe yet another persistence mechanism related to VB which works on localized systems, but could be potentially adapted to English systems as well.

The idea is simple and it’s yet another example of a feature which is rarely used nowadays, but could be adapted for malicious purposes. It’s about localization DLLs that msvbvm60.dll loads by default when a VB application is launched on a non-English systems.

The naming convention for these DLLs is vb6<language code>.dll e.g. vb6ar.dll for Arabic, vb6ru.dll for Russian. Dropping these into e.g. c:\windows\system32\ will ensure that they are loaded anytime VB application starts (and exits).

Example for Russian system:

  • Application Start:
    vb6ru_attach

 

 

 

  • Application Exit:
    vb6ru_detach

 

 

 

Or, as seen in DebugView:

vb6ru

There is a bonus for OS where the language is set to Arabic or Hebrew. On such systems VB will attempt to load one more extra library called vbame.dll.

Dropping vbame.dll and vb6ar.dll inside c:\windows\system32 on Arabic Windows will ensure these DLLs are loaded anytime someone starts VB app:

vb6ar

Share this :)

Comments are closed.