Malware Hidden in Windows Help Files

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,379
Viruses and other malicious software contained in simple help files are not news to internet security specialists, but the fact that these pieces of malware are sent using email messages is part of a more recent scheme deployed by cybercriminals to fool unsuspecting victims.

Symantec's blog informs us about these new targeted attacks that come as emails and infect our computers with all sorts of ill-intended applications that are used by those who control them to take over our virtual lives.

Targeted attacks are not uncommon, in many cases hiding under "innocent" formats such as jpg, avi, doc and pdf. Other such methods imply the forgery of executable icons to make them look like harmless file formats.

As most people know, .hlp extensions are normally handled by Windows Help and they contain information on how to work with certain applications and facilities.

This new technique used by hackers is very efficient because typically, a vulnerability needs to be exploited in order for an attack code to be executed and in case the target computer's security is up to date, the hit will probably fail.

Help files on the other hand call Windows API to be executed and this way the planted code is ran along with it.

While the victim only sees a blank Windows Help window, his system is being infected with all sorts of bad things.

Under normal circumstances, no user should ever receive .hlp files by email. However, email recipients can easily recognize the icon for the .hlp file type, as shown below:

_original


Read more

Symantec Report : .HLPing Targeted Attacks
 

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,379
win7holic said:
I never open any .hlp file from any software. so, i'm safe from this attack.
In order to be in any danger you'll need to receive in your Inbox a email from a cyber criminal with .hlp attachment and then you'll need to open it .
So if you don't have the bad habit of opening random attachments sent by unknown people , you'll be safe.

Symantec said:
So, why use this type of file? The reason may be because the attackers do not have to rely on vulnerabilities like they do for the other file types I mentioned above. Usually, a vulnerability needs to be exploited in order for malicious files to execute code. If the targeted system is patched, the attack will not succeed. However, .hlp files can call the Windows API and therefore run the shell code encoded in the file. So, by enticing a user to open an .hlp file, malicious files can easily be dropped onto a system. But from a user’s point of view, the only thing that happens is that Windows Help opens

Very smart way of getting around the need for a vulnerability.....
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Since I'm using web based email service (Yahoo Mail) Norton would block the attachment since its a malicious.
 
D

Deleted member 178

jamescv7 said:
Since I'm using web based email service (Yahoo Mail) Norton would block the attachment since its a malicious.

me too
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top