The Latest in IT Security

Support Scammers (mis)using INF and PREFETCH


Here's a quick summary of the PREFETCH and INF ploys I mentioned in a separate blog here. These are alternatives (or supplements) used by support scammers from India to the Event Viewer and ASSOC/CLSID ploys also used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.

The "Prefetch" command shows the contents of C:\Windows\Prefetch, containing files used in loading programs.

 The "INF" command actually shows the contents of a folder normally named C:\Windows\Inf: it contains files used in installing the system.

INF and PREFETCH are legitimate system utilities: so how are they misused by scammers? By asking a victim to press Windows-R to get the Run dialogue box, then asking them to type in something "prefetch hidden virus" or "inf trojan malware". When a folder listing like those above appears, the victim believes that the system is listing malicious files. In fact, neither of these commands accepts parameters in the Run box. You could type "inf elvish fantasy" or "prefetch me a gin and tonic" and you'd get exactly the same directory listing, showing legitimate files.

Neat trick: but don't you fall for it!

ESET Senior Research Fellow

Leave a reply


MONDAY, APRIL 06, 2020

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments