Extra files found after a copy from Windows

Tom Metro blu at vl.com
Sat Jan 21 11:51:10 EST 2006 

Bill Horne wrote:
> However, each of the .jpg files has either brought with it, or Samba 
> has created, two other files...
[...]
>         168k Dec 28 04:44 Scan1.jpg
>         6.3k Dec 28 04:44 Scan1.jpg:Q30lsldxJoudresxAaaqpcawXc:$DATA
>            0 Dec 28 04:44 Scan1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
[...]
> Please tell me why/how these files have appeared...

Those extra file names look like the names typically used for Alternate 
Data Streams (ADS)[1] on Windows.

1. http://www.bleepingcomputer.com/forums/tutorial25.html

An ADS is similar in concept to the resource fork on Mac OS. It's a 
separate storage location that is affiliated with the parent file, and 
gets moved around with the parent file, but is otherwise hidden from 
view. Because it is so well hidden, ADS are a favorite hiding place for 
malware.

The above link explains how to access the contents of an ADS, how to 
delete them, and mentions several tools for finding them, such as
LADS (List Alternate Data Streams)[2], a command line tool. (Several 
anti-malware scanners also report on ADSs.)

2. http://www.heysoft.de/Frames/f_sw_la_en.htm

But the presence of an ADS doesn't necessarily mean a malware infection. 
One of the most common sources of ADSs is Internet Explorer. It uses an 
ADS on downloaded files to store extended attributes, specifically 
flagging the file as untrustworthy, and this is what leads to the OS 
popping up a warning dialog when you try and execute a previously 
downloaded program.

It appears from the above directory listing that Samba simulates support 
of ADSs by adding separate, visible directory entries for each stream. 
Most likely you can safely delete the extra streams.


> Followup: the extra files are NOT thumbnails, or at least not 
> anything Microsoft's Picture Manager recognizes as such.

Thumbnail storage would certainly be a logical use for an ADS (even 
though the JPEG file format, JFIF, has a built-in ability to store 
thumbnails). It wouldn't surprise me if they used a raw image format or 
one lacking standard headers, such that the thumbnail would be 
unrecognized out of the context of being in an ADS. Remember, it isn't 
the Microsoft way to combine simple, standard things...

  -Tom


-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the Discuss mailing list