Anatomy of a very creative .txt virus/trojan. How does it work?

The other answers are basically correct, but are missing the key element:

A weird legacy behavior in cmd.exe is that when you give it a file as a command (either via the /c parameter or by just typing the file name into the interactive shell), the first thing it does is call CreateProcess on that file. CreateProcess is the Win32 API to launch a program, and it does not care about the file extension; it only cares whether or not the file is executable code and has Execute permission (which all Windows files have, by default). Only if CreateProcess fails does cmd fall back to ShellExecute, which takes an action based on the file extension and registered handler.

As the other answers noted, your “.txt” file is actually a Windows PE executable binary (basically, a renamed “.exe” file). If you ran it on your machine, there’s a pretty good chance your system is now compromised by malware.

You can get the following inferences:

  1. The file starts with MZ which implies this is a PE file (Read more)
  2. There is a string This program must be run under Win32.
    This is a part of MS DOS-Header. Which confirms inference 1.
    It also means that it is a 32 bit executable (x86).
  3. Let’s understand C:WindowsSystem32cmd.exe cmd /c Credits.txt
    • C:WindowsSystem32cmd.exe cmd is asking to start a new instance of the Windows XP command interpreter.
    • /c means ‘Carries out the command specified by string and then terminate’
      In short, it runs Credits.txt

To actually understand what exactly does it do, you need to disassemble the program and look into the assembly code using some tools like IDA Pro.

As you can see from the screenshot, credits.txt is acutally a windows binary (this program must be run under Win32)

cmd /c runs the program specified (in your case credits.txt. The file ending is apparently not relevant in this case.

Leave a Comment