TDS detects 2 ADS's on tds.exe

Discussion in 'Trojan Defence Suite' started by Defenestration, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    When run TDS detects 2 NTFS Alternate Data Streams on the tds.exe. One is 88 bytes long and the other 0 bytes.

    Is this normal ? If this is TDS that has added them, I thought ADS were frowned upon in security circles, and so why are they being used ?

    I am using Win XP Home SP1 with Kaspersky AV Personal 5.0.142, LooknStop 2.5. I have heard scare stories that KAVP 5 adds an ADS to every single file, but from my experiences this is not true and so that's why I think it is TDS that has added them.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Defenestration, Many programs use streams, especially imaging programs, I believe thay are used for tagging the image. bb bytes ias a typical image stream. 0 bytes is nothing. Anything below 128 bytes can be safely ignored.
    Here is a screenshot showning how to set up streams.
     

    Attached Files:

  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Why has the TDS executable file tds.exe been tagged though ? No other file on my system has been tagged with an ADS, so it looks like TDS has tagged itself.

    Why is this ?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Defenestration, TDS3 does not tag anything with streams, windows creates them usually for legitimate reasons.
    Why zero byte size I have no idea :) I certain circumstances KAV 5 did create streams, like you, my KAV does not.

    Here is some more information about ADStreams:
    http://www.diamondcs.com.au/web/streams/streams.htm

    HTH Pilli
     
Thread Status:
Not open for further replies.