{"id":2734,"date":"2015-01-01T12:13:32","date_gmt":"2015-01-01T12:13:32","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2734"},"modified":"2015-01-01T12:14:15","modified_gmt":"2015-01-01T12:14:15","slug":"beyond-good-ol-run-key-part-20","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/01\/01\/beyond-good-ol-run-key-part-20\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 20"},"content":{"rendered":"

Visual Basic is a goldmine when it comes to legacy code and some weird stuff (one example is – which doesn’t really matter for this post, but it’s just worth mentioning – that anytime a VB application exits it tries to find a .hlp file f.ex. \\windows\\system32\\.hlp and if it finds it it will try to open it using a WinHelp API).<\/p>\n

Anyway. In today’s post we describe yet another persistence mechanism related to VB which works on localized systems, but could be potentially adapted to English systems as well.<\/p>\n

The idea is simple and it’s yet another example of a feature which is rarely used nowadays, but could be adapted for malicious purposes. It’s about localization DLLs that\u00a0msvbvm60.dll loads by default when a VB application is launched on a non-English systems.<\/p>\n

The naming convention for these DLLs is vb6<language code>.dll e.g. vb6ar.dll for Arabic, vb6ru.dll for Russian. Dropping these into e.g. c:\\windows\\system32\\ will ensure that they are loaded anytime VB application starts (and exits).<\/p>\n

Example for Russian system:<\/p>\n