Hidden NTFS data stream detected!

Discussion in 'Trojan Defence Suite' started by carlnalex, Aug 28, 2003.

Thread Status:
Not open for further replies.
  1. carlnalex

    carlnalex Guest

    After running TDS I was alerted to a hidden data stream, as shown below. The file that it related to was something called MZ.exe. I am at a loss as to what this file refers too and a system search for such turned up no matches. I am also unfamiliar with the recycler folder and it's usage, this being the location of the hidden stream. Any further help would be greatly appreciated. Is this safe enough to delete?


    - Removed bad image link
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Carlnalex, Unfortunately your attachment is not showing for me.
    Any Data stream less than 256 bits will be harmless. I Have TDS3 set not to show data streams with less than 90 bits - TDS Scan Control - Ads stream options - Ignore streams less than.
    Many small streams are tied to graphics files.

    HYH Pilli
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Bits or bytes? :)
    You could still have, for instance, a malicious .bat or .com file hiding as a stream, but yes most small streams are harmless. Usually a quick look at the header of the stream is the way to go - if it's "MZ", then you know it's an exe. If it's "GIF89", then you know its a gif image, etc etc :)
     
  4. carlnalex

    carlnalex Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    1
    Location:
    uk
    Thank you for the update. So the MZ is just TDS's way of identifying an EXE associate file, no wonder it was not traced with a system search ...lol

    I had previously checked the script using notepad, but all that was shown was a single line of square characters, nothing legible to me.

    The previous attachment was supposed to show the TDS warning explanation, I will try again just for reference.

    I have altered TDS settings to ignore small streams as advised. Is there any way to find the actual associated file?

    Thanks again
    :D
     

    Attached Files:

  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D Carlnalex, 88 bytes hence my 90 byte limit - Very common occurrence and nowt to worry about.
    Wayne was pointing out that I stated "bits" & not bytes - Making it Kbytes could be dangerous :D
    I have a feeling that many are to do with thumbs.db - Also some AV's use data streams as a sort of checksum.

    Quite often the associated file is shown when right clicking the data stream within the TDS3 readout.

    Sorry I cannot give you an authoritive answer but I am sure DCS will.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    It's probably harmless - you can't do too much damage with 88 bytes, but to inspect it closer just right-click on it and you can then view the file
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The filename is *.TXT and it is an EXE ?
    Or was that the saved text from the alert(s)?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.