ADS Hidden Stream Detected

Question - would an .mpg or .ram file normally have a hidden stream? I've run a scan with TDS-3 and every .mpg and .ram file within a specific folder all have these hidden streams. However, I have read that smaller streams are usually benign, and these streams all range from 120 to about 180 bytes. I just want to make sure I have nothing fishy going on here....

 

Hi there, it is possible as kind of signature in images and sound files for instance with those streams, and yes, you can generally ignore them smaller the 256 bytes. Can imagine you want to be sure and of course you could submit a few of the larger ones to submit@diamondcs.com.au
Is there a special reason why all in one folder, do they belong to a certain program or are all your files of that type in that folder together?
http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
Here is a nice page about it.

 

Thanks Jooske. They are all in one folder because I have almost all .mpg and .ram files in the same folder. There are a few in other locations, and on a rescan I noticed that one of the files listed resided in a different folder. However, that file too showed a smaller stream size. I ran TDS-3 due to a trojan I had become infected with - here is the thread from that: https://www.wilderssecurity.com/showthread.php?t=40679. Luckily with IMM's help I was able to get rid of the malicious process. I did notice the same message from TDS-3 as 996TT did in his thread - that the TrojanDownloader.Win32.Adi was found. On a rescan after removing the bad files, TDS-3 did not give that message, however, the .mpg and .ram files still show a data stream. I'm still not sure that the stream is malicious, however.

 

I also did notice that in the information shown under stream properties, that all of them had a stream name of summaryinformation:$dataon, or just documentsummaryinformation. I assume that perhaps this is pretty benign?

 

By the sounds of it it seems ok. To play around a bit with streams and understanding them better you might like to try the little test on the DiamondCS page i just gave you.

 

I'll do that - thanks again!

 

You're welcome, have fun with them!