I just discovered a recent feature in the Microsoft command prompt. It can execute an exe file even if the filename has a different extension.
Below are my tests.
1. calc.exe
2. calc.exw.asd
Both files are the same. When I ran “calc.exw.asd” through double-clicking I got this
But when I ran the file “calc.exw.asd” through the command prompt, to my surprise, the file executed.
In my second round of testing I took a batch file and renamed it to run.asdf.
Here are the contents of my batch file.
Echo “Test”
When I ran “run.asdf”, I got an error message saying that the file was not recognized as an internal or external command.
In my curiosity, I changed the contents of my batch file named “run.asdf” to this
MZ ho “Test”
And again to my surprise! MS tried to execute it as an exe file. Of course I got an error message since it really wasn’t an exe file. :p
So what Microsoft actually did is just check if the first two bytes of the file is “MZ” and if it is, it will be executed as an exe file, regardless of the filename or what the file type is.
In a malware point of view this could be exploited by just issuing this command.
“cmd /k %anyfileinthesystem%”
Plus there is that FALSE SENSE OF SECURITY that the file will not execute since it has already been renamed.
Although this is still given a low priority since an attacker should already know which file to execute in the user’s system. And the fact that the file doesn’t really run through double clicking which means the user should run the file manually through command prompt himself.