lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Apr  6 12:32:18 2006
From: danny at pset.suntec.net (Danny NG)
Subject: Help!

Dear all,

recently I noticed that my PC shows the same phenomenon during virus scanning as described below.

What I would like to ask is whether it is a "common" phenomenon, or does it mean a virus (backdoor trojan eg) attack?

I have investigated about ADS and performed scans using popular scanners such as lns and lads, but it did not report any problem about the file SHELL32.dll.124.Config.  It found however a lot of ADS, especially for JPG files, giving outputs like xxx.jpg:zone.Identifier

I 'm quite worried about the current situation.
Could somebody help? Thanks!

Danny


--------------------------------------------------------------------------------

[Full-disclosure] Shell32.dll.124.config
y0himba y0himba at technolounge.org 
Tue Sep 6 03:22:15 BST 2005 

  a.. Previous message: [Full-disclosure] Shell32.dll.124.config 
  b.. Next message: [Full-disclosure] Re: Shell32.dll.124.config 
  c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 

--------------------------------------------------------------------------------

 Thanks for the information.  I have sent an email to Mark to see if he can
verify this or assist me in any way.  This is helpful.

-----Original Message-----
From: Morning Wood [mailto:se_cur_ity at hotmail.com] 
Sent: Monday, September 05, 2005 10:15 PM
To: y0himba; full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] Shell32.dll.124.config

sounds like an ADS ( alternate data stream )
http://www.sysinternals.com/Utilities/Streams.html

I wrote this awhile back as notes on a project...

this is a simple example...
Create an executable ADS:
-------------------------
c:\>type c:\fullpath\exename.exe > somefile.ext:exename.exe ( or
somefile.exe:someothername.exe )

Execute an ADS:
---------------
c:\>start c:\pathto\somefile.ext
( starts the example above running exename.exe behind the visible
somefile.ext ) c:\>type c:\start.bat > c:\windows\explorer.exe:start.bat (
this creates a file named start.bat that executes explorer.exe ) c:\>start (
will now execute the full path to c:\to\somefile.ext )

hope this helps.


----- Original Message -----
From: "y0himba" <y0himba at technolounge.org>
To: <full-disclosure at lists.grok.org.uk>
Sent: Monday, September 05, 2005 4:33 PM
Subject: [Full-disclosure] Shell32.dll.124.config


> Hi,
> Yes I am a "noob".  I have a question though.  Google searches and a
> few other things can tell me nothing about "shell32.dll.124.config".  I am
> on WindowsXP SP2, and keep seeing this file show up in antivirus scans,
but
> cannot find it anywhere on the system!  I think it is dynamically created
by
> something, but after sitting and watching Filemon 7.02 for 20 minutes or
so,
> I give up.  Has anyone heard of this file?  Antivir, Bitdefender, AVG and
> Clam all show it on the system, have scanned it, but have found nothing.
I
> have never seen this file before...
>
> Thanks in advance for your help!
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCM/GIT/GO d- s: a C++++$ UL++++ P++++ L++++ E++++ W++++ N+++++ o++++ K++
w
> O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+++++ R* tv++ b+++++ DI++ D++++
> G++ e h---- r+++ y++++
> ------END GEEK CODE BLOCK------
> Get Your Geek Code:  http://www.geekcode.com
>
> -- 
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 


--------------------------------------------------------------------------------


  a.. Previous message: [Full-disclosure] Shell32.dll.124.config 
  b.. Next message: [Full-disclosure] Re: Shell32.dll.124.config 
  c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 

--------------------------------------------------------------------------------
Full-Disclosure is hosted and sponsored by Secunia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060406/8a95b891/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ