Microsoft Windows NT 4.0 Workstation
According to the discoverer, Windows uses a specific search order for executables that are defined in the Registry. If those definition use relative path names instead of absolute path names then it is possible to cause a Trojan to run instead of the legimate execuatable. The search order used is as follows:
DEMONSTRATIONDuring the system boot sequence, any file named EXPLORER.EXE located in the boot drives root directory will load instead of the legitimate version, normally located in the %SYSTEMROOT% directory.
Discovered by Alberto Argones