[Full-disclosure] Help!
- From: "Danny NG" <danny@xxxxxxxxxxxxxxx>
- Date: Thu, 6 Apr 2006 18:41:37 +0800
Dear all,
recently I noticed that my PC shows the same phenomenon during virus scanning as described below.
What I would like to ask is whether it is a "common" phenomenon, or does it mean a virus (backdoor trojan eg) attack?
I have investigated about ADS and performed scans using popular scanners such as lns and lads, but it did not report any problem about the file SHELL32.dll.124.Config. It found however a lot of ADS, especially for JPG files, giving outputs like xxx.jpg:zone.Identifier
I 'm quite worried about the current situation.
Could somebody help? Thanks!
Danny
--------------------------------------------------------------------------------
[Full-disclosure] Shell32.dll.124.config
y0himba y0himba at technolounge.org
Tue Sep 6 03:22:15 BST 2005
a.. Previous message: [Full-disclosure] Shell32.dll.124.config
b.. Next message: [Full-disclosure] Re: Shell32.dll.124.config
c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
Thanks for the information. I have sent an email to Mark to see if he can
verify this or assist me in any way. This is helpful.
-----Original Message-----
From: Morning Wood [mailto:se_cur_ity at hotmail.com]
Sent: Monday, September 05, 2005 10:15 PM
To: y0himba; full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] Shell32.dll.124.config
sounds like an ADS ( alternate data stream )
http://www.sysinternals.com/Utilities/Streams.html
I wrote this awhile back as notes on a project...
this is a simple example...
Create an executable ADS:
-------------------------
c:\>type c:\fullpath\exename.exe > somefile.ext:exename.exe ( or
somefile.exe:someothername.exe )
Execute an ADS:
---------------
c:\>start c:\pathto\somefile.ext
( starts the example above running exename.exe behind the visible
somefile.ext ) c:\>type c:\start.bat > c:\windows\explorer.exe:start.bat (
this creates a file named start.bat that executes explorer.exe ) c:\>start (
will now execute the full path to c:\to\somefile.ext )
hope this helps.
----- Original Message -----
From: "y0himba" <y0himba at technolounge.org>
To: <full-disclosure at lists.grok.org.uk>
Sent: Monday, September 05, 2005 4:33 PM
Subject: [Full-disclosure] Shell32.dll.124.config
Hi,but
Yes I am a "noob". I have a question though. Google searches and a
few other things can tell me nothing about "shell32.dll.124.config". I am
on WindowsXP SP2, and keep seeing this file show up in antivirus scans,
cannot find it anywhere on the system! I think it is dynamically createdby
something, but after sitting and watching Filemon 7.02 for 20 minutes orso,
I give up. Has anyone heard of this file? Antivir, Bitdefender, AVG andI
Clam all show it on the system, have scanned it, but have found nothing.
have never seen this file before...w
Thanks in advance for your help!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/GIT/GO d- s: a C++++$ UL++++ P++++ L++++ E++++ W++++ N+++++ o++++ K++
O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+++++ R* tv++ b+++++ DI++ D++++
G++ e h---- r+++ y++++
------END GEEK CODE BLOCK------
Get Your Geek Code: http://www.geekcode.com
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
--------------------------------------------------------------------------------
a.. Previous message: [Full-disclosure] Shell32.dll.124.config
b.. Next message: [Full-disclosure] Re: Shell32.dll.124.config
c.. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
Full-Disclosure is hosted and sponsored by Secunia.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] [SECURITY] [DSA 1027-1] New mailman packages fix denial of service
- Next by Date: [Full-disclosure] chat room?
- Previous by thread: [Full-disclosure] [SECURITY] [DSA 1027-1] New mailman packages fix denial of service
- Next by thread: RE: [Full-disclosure] Help!
- Index(es):
Relevant Pages
|
|
