The finger.exe command is used in ClickFix attacks.

finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.

In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.

We wrote about finger.exe about 3 years ago: "Finger.exe LOLBin".

What you need to know:

• finger communication takes place over TCP
• the finger protocol uses TCP port 79 and there is no way to change this port
• finger.exe is not proxy aware

So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn't go through the proxy), the finger.exe command won't be able to communicate.

And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79.

Didier Stevens
Senior handler
blog.DidierStevens.com