ADS Hidden Stream Detected

Discussion in 'Trojan Defence Suite' started by mav100, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    Question - would an .mpg or .ram file normally have a hidden stream? I've run a scan with TDS-3 and every .mpg and .ram file within a specific folder all have these hidden streams. However, I have read that smaller streams are usually benign, and these streams all range from 120 to about 180 bytes. I just want to make sure I have nothing fishy going on here....
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, it is possible as kind of signature in images and sound files for instance with those streams, and yes, you can generally ignore them smaller the 256 bytes. Can imagine you want to be sure and of course you could submit a few of the larger ones to submit@diamondcs.com.au
    Is there a special reason why all in one folder, do they belong to a certain program or are all your files of that type in that folder together?
    http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
    Here is a nice page about it.
     
  3. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    Thanks Jooske. They are all in one folder because I have almost all .mpg and .ram files in the same folder. There are a few in other locations, and on a rescan I noticed that one of the files listed resided in a different folder. However, that file too showed a smaller stream size. I ran TDS-3 due to a trojan I had become infected with - here is the thread from that: https://www.wilderssecurity.com/showthread.php?t=40679. Luckily with IMM's help I was able to get rid of the malicious process. I did notice the same message from TDS-3 as 996TT did in his thread - that the TrojanDownloader.Win32.Adi was found. On a rescan after removing the bad files, TDS-3 did not give that message, however, the .mpg and .ram files still show a data stream. I'm still not sure that the stream is malicious, however.
     
  4. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I also did notice that in the information shown under stream properties, that all of them had a stream name of summaryinformation:$dataon, or just documentsummaryinformation. I assume that perhaps this is pretty benign?
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    By the sounds of it it seems ok. To play around a bit with streams and understanding them better you might like to try the little test on the DiamondCS page i just gave you.
     
  6. mav100

    mav100 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17
    I'll do that - thanks again!
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome, have fun with them! :)
     
Thread Status:
Not open for further replies.