Modification of Software\\Classes\\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really different purposes – there is no end to possibilities they offer to malware authors.<\/p>\n
Here’s a probably less-known CLSID branch that could be used to execute malware anytime you press WIN+E to open a new Windows Explorer window.<\/p>\n
Example for calculator (tested on win10):<\/p>\n
HKCU\\Software\\Classes\\CLSID\\\r\n{52205fd8-5dfb-447d-801a-d0b52f2e83e1}\\\r\nshell\\opennewwindow\\command\r\n\"DelegateExecute\"=\"\"\r\n@=\"c:\\\\windows\\\\system32\\\\calc.exe\"\r\n<\/pre>\nUpdate<\/strong><\/p>\nThere is a side-effect to this setting; launching explorer.exe – whether via WIN+E or directly via clicking explorer.exe inside Windows Explorer, or running it via WIN+R will always end up with calc.exe being executed. The malware would need to handle these situation with an appropriate action.<\/p>\n","protected":false},"excerpt":{"rendered":"
Modification of Software\\Classes\\CLSID branches is a well-known trick used by malware for ages. It is important to recognize though that there are many variants of the trick – the keys are used by different applications and libraries, and for really … Continue reading