Hidden NTFS data stream detected!

Discussion in 'Trojan Defence Suite' started by carlnalex, Aug 28, 2003.

Thread Status:
Not open for further replies.
  1. carlnalex

    carlnalex Guest

    After running TDS I was alerted to a hidden data stream, as shown below. The file that it related to was something called MZ.exe. I am at a loss as to what this file refers too and a system search for such turned up no matches. I am also unfamiliar with the recycler folder and it's usage, this being the location of the hidden stream. Any further help would be greatly appreciated. Is this safe enough to delete?


    - Removed bad image link
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Carlnalex, Unfortunately your attachment is not showing for me.
    Any Data stream less than 256 bits will be harmless. I Have TDS3 set not to show data streams with less than 90 bits - TDS Scan Control - Ads stream options - Ignore streams less than.
    Many small streams are tied to graphics files.

    HYH Pilli
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Bits or bytes? :)
    You could still have, for instance, a malicious .bat or .com file hiding as a stream, but yes most small streams are harmless. Usually a quick look at the header of the stream is the way to go - if it's "MZ", then you know it's an exe. If it's "GIF89", then you know its a gif image, etc etc :)
     
  4. carlnalex

    carlnalex Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    1
    Location:
    uk
    Thank you for the update. So the MZ is just TDS's way of identifying an EXE associate file, no wonder it was not traced with a system search ...lol

    I had previously checked the script using notepad, but all that was shown was a single line of square characters, nothing legible to me.

    The previous attachment was supposed to show the TDS warning explanation, I will try again just for reference.

    I have altered TDS settings to ignore small streams as advised. Is there any way to find the actual associated file?

    Thanks again
    :D
     

    Attached Files:

  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D Carlnalex, 88 bytes hence my 90 byte limit - Very common occurrence and nowt to worry about.
    Wayne was pointing out that I stated "bits" & not bytes - Making it Kbytes could be dangerous :D
    I have a feeling that many are to do with thumbs.db - Also some AV's use data streams as a sort of checksum.

    Quite often the associated file is shown when right clicking the data stream within the TDS3 readout.

    Sorry I cannot give you an authoritive answer but I am sure DCS will.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    It's probably harmless - you can't do too much damage with 88 bytes, but to inspect it closer just right-click on it and you can then view the file
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The filename is *.TXT and it is an EXE ?
    Or was that the saved text from the alert(s)?
     
Thread Status:
Not open for further replies.