Tag Archives: Hidden

Hiding malicious files in Windows folders

The desktop.ini is a standard text file that can be placed in any Windows folder to customize certain aspects of the folders behaviour, i.e. what the folder icon should be, what folder name to display, etc. The desktop.ini file is normally a hidden file so to display existing ones in folders you’ll need to make it visible by opening the folder and clicking on the Tools menu . . . Folder Options and selecting View. Then select “Show hidden files and folders” radio button and also uncheck “Hide protected operating system files (Recommended)”. Below I have touched upon three customised folders and the ini files it contains.

For Favourites folder the folder has to have attributes of either readonly or system or both for the folder to change to “favourites” from the actual folder displayed in Explorer. The desktop.ini file can have any attribute and below is an example of the ini file.

[.ShellClassInfo]
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-173
LocalizedResourceName=@shell32.dll,-12693

The LocalizedResourceName parameter can be used to change the folder name to something else when viewed in Windows Explorer.

Certain system folders use class ids to define the folder properties. Here again the folders attributes define the folder properties and the desktop.ini file can have any attribute set.

To create a recycle bin folder changing the folder attributes to system or readonly makes it change to the bin icon. The ini file settings should contain this class id below

[.ShellClassInfo]
CLSID={645ff040-5081-101b-9f08-00aa002f954e}

For the Scheduled tasks again changing the folder attributes to system or read only makes it change to the tasks icon.

[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}

So what does this mean from a malware point of view? Well these kind of system folder properties malware files can be easily hidden from view. i.e. having a job in Windows tasks (C:\WINDOWS\Tasks) with a hidden attribute set on the job file will be invisible even with all files and folders set to show. The same goes for the recycle bin where malware writers create a bogus recycle bin folder containing malware files which when browsed through Explorer remains invisible and only genuine deleted files are shown to the user.