[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8602C3B66682C4408D6EC32F0CB6F79633810B@EXCH-VS.campbell.com>
Date: Thu Apr 6 13:49:57 2006
From: cary at campbell.com (Cary Barker)
Subject: Help!
Danny,
Let's put your fears to rest. Zone.Identifier ADS is related to the way
Windows tags files generated by Internet Explorer and Outlook when
saving content downloaded from different security zones (you know - the
Security tab under IE Internet Options). This tag is then referenced
when Windows accesses a file to determine how 'safe' it is. If the file
is an executable that you downloaded from the Internet, this tag will
cause Windows to toss up an "Internet Explorer - Security Warning"
dialog box stating the publisher could not be verified. It will also
force you to click on "Run" in that same dialog box before the program
will execute (as opposed to simply running the program when you run an
executable from a CD). The files you are referring to are not
executable, but they are tagged by IE regardless.
But don't take my work for all this - check out F-secure:
http://www.f-secure.com/v-descs/zoneident.shtml
. . .and for more painful details, Microsoft:
http://msdn.microsoft.com/workshop/security/szone/reference/objects/Pers
istentZoneIdentifier.asp
-Cary
Cary Barker CISSP, GSEC, GSNA, GCWN, MCSE
Network Security Administrator
Campbell & Company, Inc.
________________________________
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Danny NG
Sent: Thursday, April 06, 2006 6:42 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Help!
Dear all,
recently I noticed that my PC shows the same phenomenon during virus
scanning as described below.
What I would like to ask is whether it is a "common" phenomenon, or does
it mean a virus (backdoor trojan eg) attack?
I have investigated about ADS and performed scans using popular scanners
such as lns and lads, but it did not report any problem about the file
SHELL32.dll.124.Config. It found however a lot of ADS, especially for
JPG files, giving outputs like xxx.jpg:zone.Identifier
I 'm quite worried about the current situation.
Could somebody help? Thanks!
Danny
________________________________
[Full-disclosure] Shell32.dll.124.config
y0himba y0himba at technolounge.org
<mailto:full-disclosure%40lists.grok.org.uk?Subject=%5BFull-disclosure%5
D%20Shell32.dll.124.config&In-Reply-To=BAY19-DAV10034B5749FF0FE3BCF10ED9
A70%40phx.gbl>
Tue Sep 6 03:22:15 BST 2005
* Previous message: [Full-disclosure] Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03682
8.html>
* Next message: [Full-disclosure] Re: Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03684
1.html>
* Messages sorted by: [ date ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/date.
html#36829> [ thread ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/threa
d.html#36829> [ subject ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/subje
ct.html#36829> [ author ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/autho
r.html#36829>
________________________________
Thanks for the information. I have sent an email to Mark to see if he
can
verify this or assist me in any way. This is helpful.
-----Original Message-----
From: Morning Wood [mailto:se_cur_ity at hotmail.com
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> ]
Sent: Monday, September 05, 2005 10:15 PM
To: y0himba; full-disclosure at lists.grok.org.uk
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure>
Subject: Re: [Full-disclosure] Shell32.dll.124.config
sounds like an ADS ( alternate data stream )
http://www.sysinternals.com/Utilities/Streams.html
I wrote this awhile back as notes on a project...
this is a simple example...
Create an executable ADS:
-------------------------
c:\>type c:\fullpath\exename.exe > somefile.ext:exename.exe ( or
somefile.exe:someothername.exe )
Execute an ADS:
---------------
c:\>start c:\pathto\somefile.ext
( starts the example above running exename.exe behind the visible
somefile.ext ) c:\>type c:\start.bat > c:\windows\explorer.exe:start.bat
(
this creates a file named start.bat that executes explorer.exe )
c:\>start (
will now execute the full path to c:\to\somefile.ext )
hope this helps.
----- Original Message -----
From: "y0himba" <y0himba at technolounge.org
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> >
To: <full-disclosure at lists.grok.org.uk
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> >
Sent: Monday, September 05, 2005 4:33 PM
Subject: [Full-disclosure] Shell32.dll.124.config
> Hi,
> Yes I am a "noob". I have a question though. Google searches and a
> few other things can tell me nothing about "shell32.dll.124.config".
I am
> on WindowsXP SP2, and keep seeing this file show up in antivirus
scans,
but
> cannot find it anywhere on the system! I think it is dynamically
created
by
> something, but after sitting and watching Filemon 7.02 for 20 minutes
or
so,
> I give up. Has anyone heard of this file? Antivir, Bitdefender, AVG
and
> Clam all show it on the system, have scanned it, but have found
nothing.
I
> have never seen this file before...
>
> Thanks in advance for your help!
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCM/GIT/GO d- s: a C++++$ UL++++ P++++ L++++ E++++ W++++ N+++++ o++++
K++
w
> O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+++++ R* tv++ b+++++ DI++ D++++
> G++ e h---- r+++ y++++
> ------END GEEK CODE BLOCK------
> Get Your Geek Code: http://www.geekcode.com
<http://www.geekcode.com/>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date:
9/5/2005
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
________________________________
* Previous message: [Full-disclosure] Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03682
8.html>
* Next message: [Full-disclosure] Re: Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03684
1.html>
* Messages sorted by: [ date ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/date.
html#36829> [ thread ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/threa
d.html#36829> [ subject ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/subje
ct.html#36829> [ author ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/autho
r.html#36829>
________________________________
Full-Disclosure
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> is hosted
and sponsored by Secunia <http://secunia.com/> .
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
Campbell & Company, Inc.: The information in this e-mail may contain privileged/confidential information. If you are not the intended recipient, you must not read, use, copy or disseminate the information or take any action in reliance thereupon. If you have received this e-mail in error, please notify Campbell & Company, Inc. immediately by e-mail or telephone and delete the e-mail and any attachments from any computer. The information in this e-mail does not constitute an offer to sell or the solicitation of an offer to buy any securities in any jurisdiction or for the benefit of any person.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060406/52434b49/attachment.html
Powered by blists - more mailing lists