| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <156101c65966$aed097c0$1b32a8c0@LocalHost> Date: Thu Apr 6 12:32:18 2006 From: danny at pset.suntec.net (Danny NG) Subject: Help! Dear all, recently I noticed that my PC shows the same phenomenon during virus scanning as described below. What I would like to ask is whether it is a "common" phenomenon, or does it mean a virus (backdoor trojan eg) attack? I have investigated about ADS and performed scans using popular scanners such as lns and lads, but it did not report any problem about the file SHELL32.dll.124.Config. It found however a lot of ADS, especially for JPG files, giving outputs like xxx.jpg:zone.Identifier I 'm quite worried about the current situation. Could somebody help? Thanks! Danny -------------------------------------------------------------------------------- [Full-disclosure] Shell32.dll.124.config y0himba y0himba at technolounge.org Tue Sep 6 03:22:15 BST 2005 a.. Previous message: [Full-disclosure] Shell32.dll.124.config b.. Next message: [Full-disclosure] Re: Shell32.dll.124.config c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] -------------------------------------------------------------------------------- Thanks for the information. I have sent an email to Mark to see if he can verify this or assist me in any way. This is helpful. -----Original Message----- From: Morning Wood [mailto:se_cur_ity at hotmail.com] Sent: Monday, September 05, 2005 10:15 PM To: y0himba; full-disclosure at lists.grok.org.uk Subject: Re: [Full-disclosure] Shell32.dll.124.config sounds like an ADS ( alternate data stream ) http://www.sysinternals.com/Utilities/Streams.html I wrote this awhile back as notes on a project... this is a simple example... Create an executable ADS: ------------------------- c:\>type c:\fullpath\exename.exe > somefile.ext:exename.exe ( or somefile.exe:someothername.exe ) Execute an ADS: --------------- c:\>start c:\pathto\somefile.ext ( starts the example above running exename.exe behind the visible somefile.ext ) c:\>type c:\start.bat > c:\windows\explorer.exe:start.bat ( this creates a file named start.bat that executes explorer.exe ) c:\>start ( will now execute the full path to c:\to\somefile.ext ) hope this helps. ----- Original Message ----- From: "y0himba" <y0himba at technolounge.org> To: <full-disclosure at lists.grok.org.uk> Sent: Monday, September 05, 2005 4:33 PM Subject: [Full-disclosure] Shell32.dll.124.config > Hi, > Yes I am a "noob". I have a question though. Google searches and a > few other things can tell me nothing about "shell32.dll.124.config". I am > on WindowsXP SP2, and keep seeing this file show up in antivirus scans, but > cannot find it anywhere on the system! I think it is dynamically created by > something, but after sitting and watching Filemon 7.02 for 20 minutes or so, > I give up. Has anyone heard of this file? Antivir, Bitdefender, AVG and > Clam all show it on the system, have scanned it, but have found nothing. I > have never seen this file before... > > Thanks in advance for your help! > > -----BEGIN GEEK CODE BLOCK----- > Version: 3.1 > GCM/GIT/GO d- s: a C++++$ UL++++ P++++ L++++ E++++ W++++ N+++++ o++++ K++ w > O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+++++ R* tv++ b+++++ DI++ D++++ > G++ e h---- r+++ y++++ > ------END GEEK CODE BLOCK------ > Get Your Geek Code: http://www.geekcode.com > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005 > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005 -------------------------------------------------------------------------------- a.. Previous message: [Full-disclosure] Shell32.dll.124.config b.. Next message: [Full-disclosure] Re: Shell32.dll.124.config c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] -------------------------------------------------------------------------------- Full-Disclosure is hosted and sponsored by Secunia. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060406/8a95b891/attachment.html
Powered by blists - more mailing lists