Re: File on desktop called "~"

From: Patrick Nolan (p.nolan_at_attbi.com)
Date: 06/13/03

  • Next message: Drew Weaver: "RE: Windows 2k rootkit incident"
    To: <incidents@securityfocus.com>
    Date: Thu, 12 Jun 2003 15:45:01 -0700
    
    

    From what I can tell, it is a parsing of contacts found in Outlook Express.
    I have this file too, located in the root of drive C. The last modified date
    for mine is June 04 07:13PM. There are two other files which have near the
    same modification date and time -

    pagefile.sys 06-04-03 07:32PM
    hiberfil.sys 06-04-03 07:32PM

    The file "~" also contains some CLSID references to "dsuiext.dll" (Directory
    Service Common UI) and also the "default user ID" for Outlook Express. I
    don't think this "~" file is related to anything viral.

    Regards,

    Patrick Nolan
    Virus Researcher - Fortinet
    pnolan@fortinet.com
    503-844-5998 (hm)
    503-341-6335 (cell)

    ----- Original Message -----
    From: "Sander van Vliet" <maxor@tref.nl>
    To: <rice@up.edu>
    Cc: <incidents@securityfocus.com>
    Sent: Thursday, June 12, 2003 1:45 PM
    Subject: Re: File on desktop called "~"

    | -----BEGIN PGP SIGNED MESSAGE-----
    | Hash: SHA1
    |
    | I have had the same issue on my XP workstation and Panda antivirus also
    | does not recognise it. I did some hexdumping and I thought that it might
    have
    | been a core dump but given the microsoft design not very likely.
    | I think this is some new worm but I didn't notice any weird e-mails
    | passing through my network.
    |
    | - --
    | - -----BEGIN PGP PUBLIC KEY BLOCK-----
    | Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
    |
    | mQGiBD7lrmYRBAC5LTtYhAr8TfYlhvM4q+/kwr14O8rGWrRft/BVvXx0Uo//+Bgg
    | XgJt1H0o7i8eQ2K2GR/q0i9agSL7wrEy6igzCT47hetWrLk51L7Ifd7AixaDNKtS
    | Hpur6MzfNiuGVMfkYnz6XqA+P08zkPesPspbHNZ+vLwkszwZHcz95f1RywCgoIEQ
    | jiNQ6YSYSAeC1sgj+nur5b8EAJq7Neret/I8jNOhTuP+zVcAYYr07JOeFyKV7HG6
    | keD7OqTIo3vs+N3l6mEjEuapNVq7MmB+XDxM3SDmgVrvGmruxkg43NWCBEudSFTN
    | TcAgd6zUh0y60hIwvSIuCn2KFgmIfRnFDxLosn3exHuXc1HEjxwtykZEAPi7Ah4C
    | Jq/KA/9U72jNR2AWaNqjKiPsi17ofVxO6+s4vZsKwDVXfhwljD1RZfKfhN71JfUc
    | GF/G3bdt5ngKSla4RarU8HpuFddP2t6EXik0mXpyU9Qdyg4MlZyxv6nNxYj5j/7g
    | pj6W1aSZ9+wE97MZfnwWLwm+eZ6gO032/A/hcRJPcAqdlG9hZbQoU2FuZGVyIHZh
    | biBWbGlldCAoTWF4b3IpIDxtYXhvckB0cmVmLm5sPohfBBMRAgAfBQI+5a5mBQkB
    | 4TOABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC+fwuq4T95dcJXAJ9S+8/nFrToMsba
    | lhxOIaDTwgKQbQCcD1T5r6GfXMnztJWc5gGp3jvYeH25Ag0EPuWuaRAIALJ5EyME
    | Pf1QGkOECVjRaN91su/gPFv2YF3nSwBjgp8O00mIR9gT3UIdRu3N1RYTdov7JMdW
    | v8YPTrxQaaYPZ3jkjFKpX9wRVM6JnzvhWs4fNbUWSELkcBAQRw5tcgVjEuyQDOn8
    | d/COiAohEuYxAqINh5mHpLqsvkYUmtHL9gAXese0+lvhT63Bjl1n9tDMRV9RMRy7
    | v4VwKgDRNLmnHzXmNGdO/JibEovTMhkwZINE8w5llxL+oHNEuyuxqdCJlp3GoCLj
    | avety0fsl8ysD5mQ/6go/RVo5vr7jP37KK8A9X2jKcs0yO6uzhnTDM9la0dyGTyy
    | BbhYsF6dJGKz3NcAAwUH+wSN3XTtmMolet+EEUdr/3vbnYcEfeqEdRQcnkQCFCDQ
    | kspdsl/3La8kouICxg0GXYFfgyxaJxZuHk29tTYZs1EWAySXA9FHyTcK7oH49vQh
    | sglWv8EtM5kL6R2IEA9ptKX/e0qCk9ajNPfDMSjQNO+a2AbbfSEnBZAuQVZZKZef
    | RTWcM/u5P5o31aDbaK0iVpuIBo8EDC0hBPRAwy7VMDIdmIxqBhJD0ReIvEaZPIQv
    | TsibIJOrUJZdYuxKR18/HL/xI8IrlldMipFri+2BZ1RdM43uQnr254OhjKshL4TC
    | 1tk8dPlt8TAZaqiI4xNCvLQdjWX4C34Gl6Hhe5qLnz2ITAQYEQIADAUCPuWuaQUJ
    | AeEzgAAKCRC+fwuq4T95dZ/SAJ9fgKGp2UsNqLwuw2OPbmHZiMdp5QCfc9oCCoSc
    | nEsCHkpemgoMogzIGzo=
    | =YG97
    | - -----END PGP PUBLIC KEY BLOCK-----
    | -----BEGIN PGP SIGNATURE-----
    | Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
    |
    | iD8DBQE+6OZUvn8LquE/eXURArZfAJ9DHWH13X7APql2ZxkklekTeQsuAwCeISXi
    | +BO1ktWmYAtW6uGvwKoTpt4=
    | =2AiG
    | -----END PGP SIGNATURE-----
    |
    |
    | --------------------------------------------------------------------------

    --
    | --------------------------------------------------------------------------
    --
    |
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Drew Weaver: "RE: Windows 2k rootkit incident"