Windows Sharing Allows Internet Tracking

[Bill Sobel <bsobel () SYMANTEC COM>]

> I could be wrong about the following so let me know if you know for a
> _fact_ that I am.

Your not wrong.  My internet cache is about 1/2 a gig, sure would hurt
mapping drives waiting for that to 'transfer over'.

> No. The only reason you came to this conclusion is because it "looks" like
> this is what is happening.

Correct, they folder contains a desktop.ini file which invokes a name space
extension.  The name space extension *always* browses your local Temporary
Internet Files regardless of the directory it's started in.

> From the original post the author stated:

> common investigation, it should lead you to something. You
> will find most recently visited sites, as well as cookies
> from the intruding computer (turn the tables on them =) ).

All I can get from this is the original poster shared a drive and then
noticed that his temp files 'appeared' to now be on the server.  I can see
how one could initially get confused browsing 'your files' now apparently
residing there.

I guess Greg won't be updating the rootkit code to nuke the TIF files
anytime soon :)

Bill Sobel
Symantec