Malware file properties

The initial behavior of common malware is to drop a copy of itself, drop its malware component embedded in it, or download its malware component. It creates the dropped files which are usually found in these folders:

• The Windows System folder: C:\Windows\System32
• The Windows folder:  C:\Windows
• The user profile folder:   C:\Users\[username]
• The Appdata folder:  C:\Users\[username]\AppData\Roaming
• The recycle bin folder:  C:\$Recycle.Bin
• The desktop folder: C:\Users\[username]\Desktop
• The temporary folder:  C:\Users\[username]\AppData\Local\Temp

As part of its social engineering, another cheap technique is to change the icon of a malware file to something that would lure the user to open it, for example, folder icons, Microsoft Office icons, or Adobe PDF icons. It also uses file names that are deceiving, such as the words INVOICE, New Folder, Scandal, Expose, Pamela, Confidential, and so on. The following screenshot gives examples of actual malware that mimics known documents: 

Notice that highlighting the fake PDF file shows that it is actually an application.