TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: FROMTHERAFTERS
date: 2014-08-07 21:57:00
subject: Re: Registry-infecting re
Dustin brought next idea :
> FromTheRafters  wrote in
> news:ls066u$u4i$1@news2.open-news-network.org: 
>
>> Dustin wrote on 8/7/2014 :
>>> "Ant"  wrote in 
>>> news:cMSdnSFuYKG3Wn_OnZ2dnUVZ7oadnZ2d@brightview.co.uk:
>> 
>> [...]
>> 
>>>> If nit-picking is important then you should know the difference
>>>> between files and other objects. 
>>>> 
>>>> Actually, this malware lives in the registry, the registry is
>>>> contained in a set of files but it's not helpful to think of the
>>>> malware as a file. It's not hiding from the OS or a knowlegeable user
>>>> who knows about registry autorun keys.
>>> 
>>> An awful set of files that make up the registry hive, yes. :) It's a
>>> proof of concept... but, the idea was discussed a long long time ago. I
>>> found it quite interesting to see that the executable program section
>>> actually has a complete? MZ/PE header in the front...
>>> 
>>> Must admit, it's a cute trick with the extended ascii to hide it's
>>> presence from the typical user. :)
>> 
>> Sounds almost familiar. :)
>
> LOL. I didn't even think about that at the time I was writing the text 
> above..
>  
>> Was the encoding of the script with screnc.exe or equivalent actually 
>> necessary?
>
> No. It was just a minor annoyance to get around. They were already okay the 
> moment they opted for a high ascii value(s) as the registry keys name. It's 
> just like using extended ascii on file names. Windows Explorer has a fit.
>
> Do you remember the hidden space trick? putting alt+255 then a space, then 
> alt+255 again? :) Every time you'd go to click on it in older versions of 
> windows, it would tell you the file didn't exist. [g]

Yes, and I mentioned that elsewhere. I did it with directories, just 
naming it with alt+255 and it would show up with an underscore 
character as a name under the folder icon. Clicking the icon caused the 
message that what you just clicked on 'does not exist' - yet how could 
you have clicked on it if it didn't - Microsoft eh, I have a desktop on 
my dekstop displaying a desktop and I have to push start to turn it 
off.


--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.