Re: File on desktop called "~"

From: Patrick Nolan (p.nolan_at_attbi.com)
Date: 06/13/03

Next message: Drew Weaver: "RE: Windows 2k rootkit incident"

Previous message: Thomas Jensen: "Re: Strange CONNECT entries in apache logs"
In reply to: Sander van Vliet: "Re: File on desktop called "~""
Next in thread: Kurt Seifried: "Re: File on desktop called "~""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Thu, 12 Jun 2003 15:45:01 -0700

From what I can tell, it is a parsing of contacts found in Outlook Express.
I have this file too, located in the root of drive C. The last modified date
for mine is June 04 07:13PM. There are two other files which have near the
same modification date and time -

pagefile.sys 06-04-03 07:32PM
hiberfil.sys 06-04-03 07:32PM

The file "~" also contains some CLSID references to "dsuiext.dll" (Directory
Service Common UI) and also the "default user ID" for Outlook Express. I
don't think this "~" file is related to anything viral.

Regards,

Patrick Nolan
Virus Researcher - Fortinet
pnolan@fortinet.com
503-844-5998 (hm)
503-341-6335 (cell)

----- Original Message -----
From: "Sander van Vliet" <maxor@tref.nl>
To: <rice@up.edu>
Cc: <incidents@securityfocus.com>
Sent: Thursday, June 12, 2003 1:45 PM
Subject: Re: File on desktop called "~"

| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| I have had the same issue on my XP workstation and Panda antivirus also
| does not recognise it. I did some hexdumping and I thought that it might
have
| been a core dump but given the microsoft design not very likely.
| I think this is some new worm but I didn't notice any weird e-mails
| passing through my network.
|
| - --
| - -----BEGIN PGP PUBLIC KEY BLOCK-----
| Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
|
| mQGiBD7lrmYRBAC5LTtYhAr8TfYlhvM4q+/kwr14O8rGWrRft/BVvXx0Uo//+Bgg
| XgJt1H0o7i8eQ2K2GR/q0i9agSL7wrEy6igzCT47hetWrLk51L7Ifd7AixaDNKtS
| Hpur6MzfNiuGVMfkYnz6XqA+P08zkPesPspbHNZ+vLwkszwZHcz95f1RywCgoIEQ
| jiNQ6YSYSAeC1sgj+nur5b8EAJq7Neret/I8jNOhTuP+zVcAYYr07JOeFyKV7HG6
| keD7OqTIo3vs+N3l6mEjEuapNVq7MmB+XDxM3SDmgVrvGmruxkg43NWCBEudSFTN
| TcAgd6zUh0y60hIwvSIuCn2KFgmIfRnFDxLosn3exHuXc1HEjxwtykZEAPi7Ah4C
| Jq/KA/9U72jNR2AWaNqjKiPsi17ofVxO6+s4vZsKwDVXfhwljD1RZfKfhN71JfUc
| GF/G3bdt5ngKSla4RarU8HpuFddP2t6EXik0mXpyU9Qdyg4MlZyxv6nNxYj5j/7g
| pj6W1aSZ9+wE97MZfnwWLwm+eZ6gO032/A/hcRJPcAqdlG9hZbQoU2FuZGVyIHZh
| biBWbGlldCAoTWF4b3IpIDxtYXhvckB0cmVmLm5sPohfBBMRAgAfBQI+5a5mBQkB
| 4TOABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC+fwuq4T95dcJXAJ9S+8/nFrToMsba
| lhxOIaDTwgKQbQCcD1T5r6GfXMnztJWc5gGp3jvYeH25Ag0EPuWuaRAIALJ5EyME
| Pf1QGkOECVjRaN91su/gPFv2YF3nSwBjgp8O00mIR9gT3UIdRu3N1RYTdov7JMdW
| v8YPTrxQaaYPZ3jkjFKpX9wRVM6JnzvhWs4fNbUWSELkcBAQRw5tcgVjEuyQDOn8
| d/COiAohEuYxAqINh5mHpLqsvkYUmtHL9gAXese0+lvhT63Bjl1n9tDMRV9RMRy7
| v4VwKgDRNLmnHzXmNGdO/JibEovTMhkwZINE8w5llxL+oHNEuyuxqdCJlp3GoCLj
| avety0fsl8ysD5mQ/6go/RVo5vr7jP37KK8A9X2jKcs0yO6uzhnTDM9la0dyGTyy
| BbhYsF6dJGKz3NcAAwUH+wSN3XTtmMolet+EEUdr/3vbnYcEfeqEdRQcnkQCFCDQ
| kspdsl/3La8kouICxg0GXYFfgyxaJxZuHk29tTYZs1EWAySXA9FHyTcK7oH49vQh
| sglWv8EtM5kL6R2IEA9ptKX/e0qCk9ajNPfDMSjQNO+a2AbbfSEnBZAuQVZZKZef
| RTWcM/u5P5o31aDbaK0iVpuIBo8EDC0hBPRAwy7VMDIdmIxqBhJD0ReIvEaZPIQv
| TsibIJOrUJZdYuxKR18/HL/xI8IrlldMipFri+2BZ1RdM43uQnr254OhjKshL4TC
| 1tk8dPlt8TAZaqiI4xNCvLQdjWX4C34Gl6Hhe5qLnz2ITAQYEQIADAUCPuWuaQUJ
| AeEzgAAKCRC+fwuq4T95dZ/SAJ9fgKGp2UsNqLwuw2OPbmHZiMdp5QCfc9oCCoSc
| nEsCHkpemgoMogzIGzo=
| =YG97
| - -----END PGP PUBLIC KEY BLOCK-----
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
|
| iD8DBQE+6OZUvn8LquE/eXURArZfAJ9DHWH13X7APql2ZxkklekTeQsuAwCeISXi
| +BO1ktWmYAtW6uGvwKoTpt4=
| =2AiG
| -----END PGP SIGNATURE-----
|
|
| --------------------------------------------------------------------------

--
| --------------------------------------------------------------------------
--
|
----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Drew Weaver: "RE: Windows 2k rootkit incident"

Previous message: Thomas Jensen: "Re: Strange CONNECT entries in apache logs"
In reply to: Sander van Vliet: "Re: File on desktop called "~""
Next in thread: Kurt Seifried: "Re: File on desktop called "~""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [SLE] =?ISO-8859-1?Q?Can=B4t?= log in as root HELP?
... Also working as root is not ... Carlos E. R. ... Version: GnuPG v1.4.2 (GNU/Linux) ...
(SuSE)
Re: [SLE] ntp failure
... > This is done as root: ... firewall; open it: ... Version: GnuPG v1.4.0 (GNU/Linux) ...
(SuSE)
Re: [opensuse] Mounting cdrecorder
... I did it for su as well as for root!! ... Carlos E. R. ... Version: GnuPG v1.4.2 (GNU/Linux) ...
(SuSE)
Re: [opensuse] How do I change my dvd writer permissions?
... # owner: root ... Carlos E. R. ... Version: GnuPG v2.0.4-svn0 (GNU/Linux) ...
(SuSE)
Outlook 2007 Master Category List
... I also have the same Master Category List problem. ... I don't understand the suggestion to right click on the root of Outlook 2007 Please could you talk me through it? ...
(microsoft.public.outlook.contacts)