Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Help!
From: "Cary Barker" <cary () campbell com>
Date: Thu, 6 Apr 2006 08:49:44 -0400

Danny,

 

Let's put your fears to rest.  Zone.Identifier ADS is related to the way
Windows tags files generated by Internet Explorer and Outlook when
saving content downloaded from different security zones (you know - the
Security tab under IE Internet Options).  This tag is then referenced
when Windows accesses a file to determine how 'safe' it is.  If the file
is an executable that you downloaded from the Internet, this tag will
cause Windows to toss up an "Internet Explorer - Security Warning"
dialog box stating the publisher could not be verified.  It will also
force you to click on "Run" in that same dialog box before the program
will execute (as opposed to simply running the program when you run an
executable from a CD).  The files you are referring to are not
executable, but they are tagged by IE regardless. 

 

 

But don't take my work for all this - check out F-secure:

http://www.f-secure.com/v-descs/zoneident.shtml

 

 

. . .and for more painful details, Microsoft:

http://msdn.microsoft.com/workshop/security/szone/reference/objects/Pers
istentZoneIdentifier.asp 

 

 

 

            -Cary

 

 

Cary Barker CISSP, GSEC, GSNA, GCWN, MCSE

Network Security Administrator

Campbell & Company, Inc.

 

________________________________

From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Danny NG
Sent: Thursday, April 06, 2006 6:42 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Help!

 

Dear all,

 

recently I noticed that my PC shows the same phenomenon during virus
scanning as described below.

 

What I would like to ask is whether it is a "common" phenomenon, or does
it mean a virus (backdoor trojan eg) attack?

 

I have investigated about ADS and performed scans using popular scanners
such as lns and lads, but it did not report any problem about the file
SHELL32.dll.124.Config.  It found however a lot of ADS, especially for
JPG files, giving outputs like xxx.jpg:zone.Identifier

 

I 'm quite worried about the current situation.

Could somebody help? Thanks!

 

Danny

 

________________________________


[Full-disclosure] Shell32.dll.124.config


y0himba y0himba at technolounge.org
<mailto:full-disclosure%40lists.grok.org.uk?Subject=%5BFull-disclosure%5
D%20Shell32.dll.124.config&In-Reply-To=BAY19-DAV10034B5749FF0FE3BCF10ED9
A70%40phx.gbl> 
Tue Sep 6 03:22:15 BST 2005 

*       Previous message: [Full-disclosure] Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03682
8.html> 
*       Next message: [Full-disclosure] Re: Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03684
1.html> 
*       Messages sorted by: [ date ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/date.
html#36829>  [ thread ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/threa
d.html#36829>  [ subject ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/subje
ct.html#36829>  [ author ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/autho
r.html#36829>  

________________________________

 Thanks for the information.  I have sent an email to Mark to see if he
can
verify this or assist me in any way.  This is helpful.
 
-----Original Message-----
From: Morning Wood [mailto:se_cur_ity at hotmail.com
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> ] 
Sent: Monday, September 05, 2005 10:15 PM
To: y0himba; full-disclosure at lists.grok.org.uk
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> 
Subject: Re: [Full-disclosure] Shell32.dll.124.config
 
sounds like an ADS ( alternate data stream )
http://www.sysinternals.com/Utilities/Streams.html
 
I wrote this awhile back as notes on a project...
 
this is a simple example...
Create an executable ADS:
-------------------------
c:\>type c:\fullpath\exename.exe > somefile.ext:exename.exe ( or
somefile.exe:someothername.exe )
 
Execute an ADS:
---------------
c:\>start c:\pathto\somefile.ext
( starts the example above running exename.exe behind the visible
somefile.ext ) c:\>type c:\start.bat > c:\windows\explorer.exe:start.bat
(
this creates a file named start.bat that executes explorer.exe )
c:\>start (
will now execute the full path to c:\to\somefile.ext )
 
hope this helps.
 
 
----- Original Message -----
From: "y0himba" <y0himba at technolounge.org
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> >
To: <full-disclosure at lists.grok.org.uk
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure> >
Sent: Monday, September 05, 2005 4:33 PM
Subject: [Full-disclosure] Shell32.dll.124.config
 
 
Hi,
Yes I am a "noob".  I have a question though.  Google searches and a
few other things can tell me nothing about "shell32.dll.124.config".
I am
on WindowsXP SP2, and keep seeing this file show up in antivirus
scans,
but
cannot find it anywhere on the system!  I think it is dynamically
created
by
something, but after sitting and watching Filemon 7.02 for 20 minutes
or
so,
I give up.  Has anyone heard of this file?  Antivir, Bitdefender, AVG
and
Clam all show it on the system, have scanned it, but have found
nothing.
I
have never seen this file before...

Thanks in advance for your help!

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/GIT/GO d- s: a C++++$ UL++++ P++++ L++++ E++++ W++++ N+++++ o++++
K++
w
O- M- V-- PS+ PE Y++ PGP++ t+ 5-- X+++++ R* tv++ b+++++ DI++ D++++
G++ e h---- r+++ y++++
------END GEEK CODE BLOCK------
Get Your Geek Code:  http://www.geekcode.com
<http://www.geekcode.com/> 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date:
9/5/2005


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 
 
-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
 
 
________________________________


*       Previous message: [Full-disclosure] Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03682
8.html> 
*       Next message: [Full-disclosure] Re: Shell32.dll.124.config
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/03684
1.html> 
*       Messages sorted by: [ date ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/date.
html#36829>  [ thread ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/threa
d.html#36829>  [ subject ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/subje
ct.html#36829>  [ author ]
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/autho
r.html#36829>  

________________________________

Full-Disclosure
<https://lists.grok.org.uk/mailman/listinfo/full-disclosure>  is hosted
and sponsored by Secunia <http://secunia.com/> .


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
Campbell & Company, Inc.:  The information in this e-mail may contain privileged/confidential information.  If you are 
not the intended recipient, you must not read, use, copy or disseminate the information or take any action in reliance 
thereupon.  If you have received this e-mail in error, please notify Campbell & Company, Inc. immediately by e-mail or 
telephone and delete the e-mail and any attachments from any computer.  The information in this e-mail does not 
constitute an offer to sell or the solicitation of an offer to buy any securities in any jurisdiction or for the 
benefit of any person.  
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Help! Danny NG (Apr 06)
    • <Possible follow-ups>
    • RE: Help! Cary Barker (Apr 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]