It is worth noting that the 8.3 short name of the hidden file was HUB001.DAT[1]. This is because VFAT allows the specification of both a short name (8.3) and long name (LFN) for each file/directory.
You can find 8.3 '.' entry names by searching a partition for \x2e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
A file with an LFN of '.' could be found with (hopefully this is correct) \x00\x2e\x00\x00\x00\x00\xff\xff\xff\xff\x0f
It appears as if 8.3 file names starting with '.' are treated specially but LFNs starting with '.' carry no significant meaning.
I struggled to find references to other malware that has used a similar approach. Does anyone have more information?
Surely Windows does not attempt to automatically execute files with a LFN (UTF-16 name) of '.'?
You can find 8.3 '.' entry names by searching a partition for \x2e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
A file with an LFN of '.' could be found with (hopefully this is correct) \x00\x2e\x00\x00\x00\x00\xff\xff\xff\xff\x0f
It appears as if 8.3 file names starting with '.' are treated specially but LFNs starting with '.' carry no significant meaning.
I struggled to find references to other malware that has used a similar approach. Does anyone have more information?
Surely Windows does not attempt to automatically execute files with a LFN (UTF-16 name) of '.'?
[1] http://labs.bitdefender.com/2012/06/flame-the-story-of-leake...
[2] https://en.wikipedia.org/wiki/File_Allocation_Table#Director...