Malware writers have got a new way to keep their babies safe. Recently we found a malware in 16bit NE file format and it runs smoothly in modern 32bit OS without detection even by the HIPS.



As far as we know, the sample has been in public view for 4 days(since 2012.1.16). But only 4 AV vendors are reporting it as of now.

That’s generally because most of automated system don’t handle NE file format and HIPS system ignore it , as well as cloud system.

So under current situation, NE malware may exist for a longer period before detected by antivirus software. So it is more threatening to the end user.


Introduction for NE file format

NE (New executable) is elevated from DOS MZ executable format and it is for 16bit windows (Win3.x). Now it has surely been out dated.

Comparing with 32bit PE format, it has ‘MZ’ header, but the signature after DOS header is ‘NE’ instead of ‘PE’. And string in DOS stub is ‘This program requires Microsoft Windows’.


16bit file can run in 32 bit Windows OS with the help of NTVDM(Virtual Dos machine). A separate ntvdm.exe process is created when the file is executed and it’s within the context of ntvdm.exe. That’s why most of the HIPS miss it.

Malware behavior

Most of the malicious action taken by the NE file is  by 16bit api call ‘WINEXEC’ to run 32bit cmd.exe and taskkill with argument.

And the malware drops a 32bit PE and a reg file.

Process creations:

We can see that the malware deletes all shortcuts in desktop/start menu and quick launch. The reg file created by NE contains:

The main purpose is to modify start page.

And the PE file dropped is a simple MFC application that read StartupDVR.ini and run the file specified in the .ini after a time period.


The malware writer didn’t forget the NE file which anti-virus vendors thought it is outdated. NE file could be a new trend of malware carrier so we should aware of it to protect end user.

Enhanced by Zemanta