"John C." <
r9j...@yahoo.com> wrote:
Criteria not specified by you before. Anything else restricting what
you'll accept as suggestions?
rundll32.exe runs functions (aka methods) defined inside of DLL (Dynamic
Link Library) files. Some methods are internal only in a .dll file.
Some are exported which means they have an external interface that
allows them to be called as a function by a caller process. .cpl files
are Control Panel applets. You can even use rundll32.exe to call a
system library's methods to call a system CPL file to open to a
particular tab or dialog, like:
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,2
Search your drive, and you'll find lots of .cpl files which are a type
of DLL file. shell32.dll is also part of Windows, a very critical part.
Instead of bothering to dole out an .exe file which merely calls a
method in a DLL file to start the program, a program may simply load the
.dll file to run its main() method, if it has one, or use the
system-provided rundll32.exe to call a front-end method in the .dll file
which is how the .exe is going to access an exported method in the DLL.
https://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/
https://support.microsoft.com/en-us/topic/description-of-control-panel-cpl-files-4dc809cd-5063-6c6d-3bee-d3f18b2e0176
desk.cpl is already on your computer as it is part of Windows. The .scr
file is obviously their screen saver. You didn't want an .msi
installer, so now you don't want to have desk.cpl deposit the .scr file
on your host. Any other restrictive criteria? As you've noted, you can
just get the .scr to put anywhere you want to run it from there. Most
users don't know about what are .scr files, how to extract, or where to
put them hence the use of installers or system lib calls.
I have no idea why, but VirusTotal includes some rather crappy or iffy
anti-virus programs in its scan suite. They think the more engines that
scan a file then the more likely one, or more, of them will discover a
new exploit or malware. However, with the crappy AVs, they up their
false positive count which diminishes the value of their aggregate scan.
They say 2 vendors flagged the file as suspect, but their scan list
shows only shows 1 vendor in red. They show the scan engine in each AV,
but not if it was contracted and rebranded by the AV vendor; e.g.,
Bitdefender licenses out their scan engine to other AV vendors, and the
AV vendors usually hide or rebrand the scan engine to make it look like
theirs. ClamAV is just one example of a crappy AV they include. When
using Virus Total, you have to look at just who said the file was
suspect. All AVs are not equal, and some should not be used by Virus
Total.
That's not to say Virus Total is worthless or misleading. It's up to
you to figure out if the results are important. I use SysInternals'
Process Explorer (PE), and it has an option to check processes against
Virus Total. It's not enabled by default, but you can configure PE to
submit the processes to Virus Total. If a process already has a scan
recorded at Virus Total, you see it shown immediately in PE. If the
process has not been scanned before, PE submits the process, so you
might see "hashing..." momentarily until Virus Total reports its results
to PE.