I am always curious to know if it is possible to run an image file as an executable file. So far I only know about the double extension trick such as file.jpg.exe. If the user enabled “Hide extensions for known file types” in Folder Options, most probably the user will think that it is a JPG image file but in fact the .exe extension is hidden. That’s why the first thing I do after reinstalling Windows is to enable show hidden files and disable hide extensions for known file types.
Few days ago I was going through HackHound forum and found a tool called EXE-Forcer developed by steve10120 which claims to make any file run under a different extension and execute like an .exe file. Before I ran EXE-Forcer, I uploaded it to ThreatExpert to analyze and see what it does. It doesn’t do anything but a few antivirus vendor such as PC Tools, Symantec, McAfee, Sophos and Ikarus always flags it as a Trojan.
I ran it and was presented with a very simple interface with nothing on it. Right clicking on an empty space allows me to add an extension.
So I tried entering .ray extension and it was added to the program but nothing happened. I right click on EXE-Forcer again and this time I found the Build option enabled. So I selected Build and it prompts me to save an exe file to a location. Now I have another suspicious EXE file and since I don’t know what it does, I analyzed the file in ThreatExpert. This time ThreatExpert tells me that the file EXE-Forcer created will add new registry entries. From the looks of the registry modification, it seemed like it was trying to register a new file type to an EXE extension.
I ran the EXE file created by EXE-Forcer, and then I renamed a legitimate .exe file’s extension to .ray. As expected, I was able to run the .ray extension as an application after the registry modification.
This registry modification is pretty simple. It maps an extension of your choice to application. If you go to File Types tab in Folder Options (Can only be found in XP), you will see that the extension opens with %1.
EXE-Forcer works but already widely being detected as a malicious tool by most antivirus software. In fact, a simple command line would do the job. Simply type assoc.ray=exefile in command prompt will do what EXE-Forcer does. You can replace the .ray in the command line with any other extension you want to run it as executable. Hope you’ve learned something new today.