Microsoft Windows NT 4.0 Workstation
According to the discoverer,
Windows uses a specific search order for executables that are defined in the Registry. If
those definition use relative path names instead of absolute path names then it is
possible to cause a Trojan to run instead of the legimate execuatable. The search order
used is as follows:
DEMONSTRATIONDuring the system boot sequence, any file named EXPLORER.EXE located in the boot drives root directory will load instead of the legitimate version, normally located in the %SYSTEMROOT% directory.
Discovered by Alberto Argones