Find hidden executables with MZreveal

Malware uses many tricks to avoid detection. Sometimes this involves ultra-complicated, super-stealthy, rootkit-like Windows hooking. But often it’s no more advanced than giving an EXE or DLL file a much less worrying extension (virus.exe > virus.txt, perhaps). A simple technique, but maybe enough to get past you and your antivirus software.

MZreveal is a tiny free tool which can expose this hidden code by scanning the content of every file, listing any executables it finds which don’t have an EXE or DLL extension.

One immediate problem is the program only scans its current folder and any subfolders. There’s no way to point it anywhere else, so if you want to check your User folder, say, you must copy the file there first.

Once that’s out of the way, launch the program and you’re asked if you’d like it to display filenames only, or full paths.

MZreveal then starts to scan your specified folder tree. This involves checking the content of every single file, so expect it to take a while.

Fortunately any concealed executables are listed as they’re discovered, along with their file type (DLL or EXE). The list of disguised executables is also saved to an MZreveal.log file, in the same folder as MZreveal.exe.

Don’t read too much into this report. There are plenty of entirely innocent files which contain executable code, but don’t have a DLL or EXE extension (OCX, SCR, PYD and so on). Scan your whole system and you might easily find hundreds of these.

MZreveal does give you a starting point, though, and even if you don’t find any malware, you could learn more about file types. Did you know Photoshop 8bf plugins were executables, for example? Worth remembering: malware has hidden behind the 8bf extension before, and it surely will again.