[Dshield] [Fwd: File on desktop with tilde character as filename]

Dale Sampson dalejsampson at ameritech.net
Fri Jun 6 17:16:10 GMT 2003


Samuel,

I'd be surprised if this file is created by Outlook. I'm wondering if some
program isn't using the desktop as a temp folder ... (like AVG ?)

One way to trace the origin of this file:

Download file monitor from http://www.sysinternals.com (choose the correct
version for your OS). Install it and reboot. You can run it after reboot.

Filemon usage:  The program allows you to trace all reads & writes to the
file system identified by the process that accessed the file system.  It
allows you to specify filters (include & exclude) for both the processes
monitored and the directories monitored. Since this file is showing up on
the desktop & created by an unknown process, I'd suggest you monitor all
process and include only the desktop folder. This should identify everything
that reads and writes to your desktop.  The activity logs can get very
large.  You can play with the filters to control the size.


Dale Sampson, RN
http://www.dalesplace.net/dalesplace.htm
 


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of David Vincent
Sent: Friday, June 06, 2003 12:10 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] [Fwd: File on desktop with tilde character as
filename]


i have a client with this problem, we traced it to a real estate package
they are running called "Interface".  seems to be pretty benign, so we've
just left it.

-d



> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at sans.org]
> Sent: June 5, 2003 8:24 PM
> To: list at dshield.org
> Subject: [Dshield] [Fwd: File on desktop with tilde character as 
> filename]
> 
> 
> -----Forwarded Message-----
> 
> From: Samuel <samuel at socal.rr.com>
> To: Dshield at Dshield. Org <dshield at dshield.org>
> Subject: File on desktop with tilde character as filename
> Date: 05 Jun 2003 19:03:22 -0700
> 
> Several times I have received spontaneously a file on my
> Windows desktop
> that has a one-character filename of the tilde character 
> ("~"). The contents
> is binary but when I look at it I can see that it contains 
> email addresses
> from my address book. The first time (on Friday, May 02) I 
> saw it I zipped
> it into a zip file. Since then I have been deleting them when 
> I get them.
> Since the first half of May I did not get any on my desktop 
> but I need to
> search my entire system in case they exist elsewhere. I 
> received another one
> a couple of days ago and I received two today. The first one 
> I received I
> was able to see it appear on the desktop immediately after sending a
> message. So now I am much more suspicious.
> 
> I don't know where it is coming from. I keep my desktop clear
> enough of
> icons that I notice it quite quickly. I tried to search for 
> information but
> either it is not malicious and there is not information or 
> the use of the
> tilde character makes it difficult to find the information. I 
> assume the use
> of the tilde character is intended to slow us down and if so 
> it is quite
> successful.
> 
> I am using Outlook Express and I have the "Warn me when other
> applications
> try to send mail as me." option selected on so I hope there 
> has been no
> email sent that I am unaware of.
> 
> As you can see by the signature it adds to messages that I am
> using AVG for
> virus protection. I obviously need to get something better. 
> However if this
> file is the result of something malicious then I sure want to 
> identify it,
> especially if it is something new.
> 
> I realize this mailing list is not the primary place to
> report such a thing.
> Where else is a good place to report it and get information 
> about it if it
> is malicious? I should not be spending time on this but that is what
> everyone says, right?
> 
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.487 / Virus Database: 286 - Release Date: 6/1/2003
> --
> ----------
> Johannes Ullrich
> Internet Storm Center - SANS Institute
> jullrich at sans.org  http://isc.sans.org
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list