[Dshield] [Fwd: File on desktop with tilde character as filename]

Johannes B. Ullrich jullrich at sans.org
Fri Jun 6 03:24:43 GMT 2003

-----Forwarded Message-----

From: Samuel <samuel at socal.rr.com>
To: Dshield at Dshield. Org <dshield at dshield.org>
Subject: File on desktop with tilde character as filename
Date: 05 Jun 2003 19:03:22 -0700

Several times I have received spontaneously a file on my Windows desktop
that has a one-character filename of the tilde character ("~"). The contents
is binary but when I look at it I can see that it contains email addresses
from my address book. The first time (on Friday, May 02) I saw it I zipped
it into a zip file. Since then I have been deleting them when I get them.
Since the first half of May I did not get any on my desktop but I need to
search my entire system in case they exist elsewhere. I received another one
a couple of days ago and I received two today. The first one I received I
was able to see it appear on the desktop immediately after sending a
message. So now I am much more suspicious.

I don't know where it is coming from. I keep my desktop clear enough of
icons that I notice it quite quickly. I tried to search for information but
either it is not malicious and there is not information or the use of the
tilde character makes it difficult to find the information. I assume the use
of the tilde character is intended to slow us down and if so it is quite

I am using Outlook Express and I have the "Warn me when other applications
try to send mail as me." option selected on so I hope there has been no
email sent that I am unaware of.

As you can see by the signature it adds to messages that I am using AVG for
virus protection. I obviously need to get something better. However if this
file is the result of something malicious then I sure want to identify it,
especially if it is something new.

I realize this mailing list is not the primary place to report such a thing.
Where else is a good place to report it and get information about it if it
is malicious? I should not be spending time on this but that is what
everyone says, right?

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003
Johannes Ullrich
Internet Storm Center - SANS Institute
jullrich at sans.org  http://isc.sans.org

More information about the list mailing list