What Does The rundll32.exe Icon Look Like?

Discussion in 'other software & services' started by DasFox, Aug 27, 2009.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I thought the rundll32.exe had the typical Windows .exe icon look, as a default application that didn't have an icon attached to it, the white box with the blue trim at the top.

    Here's a screenshot of what I'm seeing:

    http://img81.imageshack.us/img81/6761/89893141.jpg

    89893141.jpg

    THANKS
     
    Last edited by a moderator: Aug 27, 2009
  2. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    I have this same (blue 33 KB). It's Microsoft gift, OK., no worry.

    P.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    On Win2k it's a different icon than from that in WinXP:

    rundll32.gif


    rundll32-icon.gif

    It's not a normal executable file. Note the description:

    rundll-properties.gif

    If you d-click on it, nothing happens. It needs an argument, that is, a DLL to load, such as:

    rundll32-cmd.gif

    which will launch Internet Explorer to connect to the WindowsLive login:

    rundll32-ie.gif

    If you looked at the analysis of the conficker worm USB exploit, you would have seen the trick where the autorun.inf file contained a shellexecute command to load the malicious DLL -- spoofed with .vmx file extension:

    Code:
    shelLExECUte=[B]RuNdLl32.EXE[/B] .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\[B]jwgkvsq.vmx[/B], ahaezedrn
    That's why this trusted EXE can be so dangerous when used by malware writers.

    ----
    rich
     
  4. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    THANKS
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    Ohh.. agian u remind me. The clever conflicker worm, love it. Was very nice n interesting testing indeed. :D
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.