 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Bill Horne wrote:
> However, each of the .jpg files has either brought with it, or Samba
> has created, two other files...
[...]
> 168k Dec 28 04:44 Scan1.jpg
> 6.3k Dec 28 04:44 Scan1.jpg:Q30lsldxJoudresxAaaqpcawXc:$DATA
> 0 Dec 28 04:44 Scan1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[...]
> Please tell me why/how these files have appeared...
Those extra file names look like the names typically used for Alternate
Data Streams (ADS)[1] on Windows.
1. http://www.bleepingcomputer.com/forums/tutorial25.html
An ADS is similar in concept to the resource fork on Mac OS. It's a
separate storage location that is affiliated with the parent file, and
gets moved around with the parent file, but is otherwise hidden from
view. Because it is so well hidden, ADS are a favorite hiding place for
malware.
The above link explains how to access the contents of an ADS, how to
delete them, and mentions several tools for finding them, such as
LADS (List Alternate Data Streams)[2], a command line tool. (Several
anti-malware scanners also report on ADSs.)
2. http://www.heysoft.de/Frames/f_sw_la_en.htm
But the presence of an ADS doesn't necessarily mean a malware infection.
One of the most common sources of ADSs is Internet Explorer. It uses an
ADS on downloaded files to store extended attributes, specifically
flagging the file as untrustworthy, and this is what leads to the OS
popping up a warning dialog when you try and execute a previously
downloaded program.
It appears from the above directory listing that Samba simulates support
of ADSs by adding separate, visible directory entries for each stream.
Most likely you can safely delete the extra streams.
> Followup: the extra files are NOT thumbnails, or at least not
> anything Microsoft's Picture Manager recognizes as such.
Thumbnail storage would certainly be a logical use for an ADS (even
though the JPEG file format, JFIF, has a built-in ability to store
thumbnails). It wouldn't surprise me if they used a raw image format or
one lacking standard headers, such that the thumbnail would be
unrecognized out of the context of being in an ADS. Remember, it isn't
the Microsoft way to combine simple, standard things...
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
