Re: Alternate Data Streams

From: Daniel L. Belton (abuse_at_spam.gov)
Date: 11/20/03 

Date: Thu, 20 Nov 2003 07:49:23 GMT

Sarge wrote:
> "Daniel L. Belton" <abuse@spam.gov> wrote in
> news:9DLub.30859$oC5.733@clmboh1-nws5.columbus.rr.com:
>
>
>>Know of any Windows apps that put an ADS in your Windows\System32
>>folder with .exe filenames?
>
>
> Can't say that I do. You might want to ask over at alt.comp.virus and/or
> alt.comp.anti-virus, there are some pretty knowledgeable folks posting
> in those groups. You mentioned that you're running Kaspersky resident.
> Didn't that catch the trojan as it was being written to disk?
>
>
Nope... It didn't catch it, however about a week later one of their
updates had it in there.

>
>
>>>Not that I know of. Other freeware tools you can use in addition to
>>>Streams are Crucial ADS
>>>(http://www.crucialsecurity.com/downloads.html) and LADS
>>>(http://www.heysoft.de/Frames/f_sw_la_en.htm).
>>
>>I have those two, and they are good at finding and displaying the
>>ADS... Just not good at removing them. I want a way to disable it since
>>it's not needed and leaves a big security hole open.
>
>
> The easiest way I've found to delete ADS is with the shell extensions
> available at:
>
> http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip
>
> There's one that'll add a "Streams" property sheet from where you can
> extract or delete an ADS, and another that'll add a "Streams Size"
> column to Windows Explorer. Read the white paper first:
>
> http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf
>
>
Thanks! I haven't seen those yet. I'll go give them a look and see
what it looks like

Relevant Pages

  • Re: Alternate Data Streams
    ... > folder with .exe filenames? ... >> Streams are Crucial ADS ... There's one that'll add a "Streams" property sheet from where you can ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ADS 5i Controller
    ... Do you guys know of any ADS dedicated newsgroups/forums? ... > 1) Created a new folder with my sysprep folder that gets copied to ... > 2) I downloaded the appropriate support pack from HP ... > time deploying an image to multiple devices myself. ...
    (microsoft.public.windows.server.setup)
  • Re: Debian creates duplicate image files with strange extensions!
    ... with NTFS called ADS. ... contents of an NTFS folder. ... ADS files take up no space on an NTFS file system. ...
    (Debian-User)
  • Re: Excel chokes when launched, tries to open multiple files
    ... and rarely does with Windows apps. ... folder and you'll delete all those files, or they're in a folder ... trash the preferences ...
    (microsoft.public.mac.office.excel)
  • Re: Alternate Data Streams
    ... how do you know it's a trojan dropper if it's hiding ... > from scanners? ... Know of any Windows apps that put an ADS in your Windows\System32 folder ...
    (microsoft.public.windowsxp.security_admin)