What Does The rundll32.exe Icon Look Like?

Discussion in 'other software & services' started by DasFox, Aug 27, 2009.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I thought the rundll32.exe had the typical Windows .exe icon look, as a default application that didn't have an icon attached to it, the white box with the blue trim at the top.

    Here's a screenshot of what I'm seeing:

    http://img81.imageshack.us/img81/6761/89893141.jpg

    89893141.jpg

    THANKS
     
    Last edited by a moderator: Aug 27, 2009
  2. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    I have this same (blue 33 KB). It's Microsoft gift, OK., no worry.

    P.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    On Win2k it's a different icon than from that in WinXP:

    rundll32.gif


    rundll32-icon.gif

    It's not a normal executable file. Note the description:

    rundll-properties.gif

    If you d-click on it, nothing happens. It needs an argument, that is, a DLL to load, such as:

    rundll32-cmd.gif

    which will launch Internet Explorer to connect to the WindowsLive login:

    rundll32-ie.gif

    If you looked at the analysis of the conficker worm USB exploit, you would have seen the trick where the autorun.inf file contained a shellexecute command to load the malicious DLL -- spoofed with .vmx file extension:

    Code:
    shelLExECUte=[B]RuNdLl32.EXE[/B] .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\[B]jwgkvsq.vmx[/B], ahaezedrn
    That's why this trusted EXE can be so dangerous when used by malware writers.

    ----
    rich
     
  4. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    THANKS
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ohh.. agian u remind me. The clever conflicker worm, love it. Was very nice n interesting testing indeed. :D
     
Loading...
Thread Status:
Not open for further replies.