December 13th, 2003, 11:28 PM
2 days to learning all about NTFS ADS viruses.
Hi everyone.Well I've created much fuss around in this forum through my last article on viruses that cannot be deteted by any AntiVirus software.I didn't know how I can get back the good image I've lost,so I wrote this 2 day report on NTFS ADS viruses.I've researched and researched this topic a lot of times before writing this report.I hope it somehow pays back for my last post.Since this is a 2 day report,I thought I shouldn't post the reports for both of the days here because it wouldn't make sense.Therefore,if you like this report,you can get the Day 2 for free from my website by the link given at the end of this article.
I hope it proves useful.
2 days to learning all about NTFS ADS viruses.
What is NTFS ADS?
Well,ADS stands for Alternate Data Streams.It is a feature of the NTFS file system.It allows data to be attached to files but this data remains completely invisible to some file reading utilities.This feature can be used by viruses to exploit systems.Wanna see how it works?Then may be we have to get started with some practical stuff.
What you'll need.....
Well,what we are going to do now isn't going to work unless you have got NTFS file system installed on the drive you'll work at.(I got almost half crazy trying to get it to work on one of my drives that had FAT32 and couldn't realize what was wrong.Then I checked the file system and was like OHH Stupid Me!Anyways...)However if you do not have FAT32 installed on any of your drives and you can't get one that has it installed,then just read the rest of this article....you'll get an idea of what I'm talking about.However if you do have a drive with NTFS installed,then great!Lets do it!
First of all,make a seperate folder in the drive that has NTFS installed.Name that folder "test".Now,you must be having a little knowledge of how to use Ms.DOS.If no,then visit this page.Learn Ms.DOS through the free tutorials provided and then return here.
If you already have a little know-how of Ms.DOS,then we can get started right away.
Learning how to create ADSs.
An ADS is really simple to create if you know have a little knowlegde of Ms.DOS.Just lauch Ms.DOS and point to the folder "test" on whatever drive you have the folder on.Lets say you have test installed on Drive C:\ so you'll have to point to the folder C:\Test.
Now,type the following line:
echo"this text is visible">1.txt
What's happening here,is that the echo command is creating the file "1.txt" and putting the words"this text is visible" into that file.
Now,when you open the folder C:\Test through windows explorer you should see the file 1.txt and when you double click that file,you should be able to read the words"this text is visible" in that file.Now,lets move on creating our first ADS in that file.
At the command prompt,type the following line:
echo "and this this text is invisible">1.txt:ads1.txt
This command creates an ADS,or a data stream in the file 1.txt.This data stream cannot be viewed by windows explorer or Ms.DOS.If you open the folder C:\test through Windows Explorer then you will see only one file,named 1.txt.You wouldn't see any other file.And,even if you try the DIR command through Ms.DOS,you will still see only one file named 1.txt in that folder.Also,by creating 1.txt and adding an ADS to it,we have used some 54 bytes of memory.However,we see that the DIR command shows only 24 bytes occupied by the folder.You may even check the size of the folder through Windows Explorer(you can do so by opening drive C,right clicking on the folder Test and choosing properties.)Still you would see only 24 bytes occupied by the folder.The only way you can view the ADS you just added to the file,is by typing the following command at the command prompt:
This will open up a notepad window and will show the file we just created.This is the only way you can read the ADSs attatched to a file.However,now there is a free tool available which scans the entire drive or a given directory for AdSs. It lists the names and size of all alternate data streams it finds.It is called Lads.You can download Lads now from http://www.heysoft.de.If you ever come across a file that you doubt has some ADSs attached to it and you want to read what's in the ADSs then LADS is the program for you. You can use LADS to find the names of all of the ADSs attached to that file/folder.Then you can use the notepad command to view the contents of the ADSs.This is very useful if you are not sure if a particular folder or file has ADSs attached to it or not and if you want to view the contents of the ADSs.
Well,that's all for now.Tomorrow I will show you how NTFS ADS can be used to create viruses,and also how you can remove ADSs from a file without losing the original data it contains.As for today,you may want to practice creating ADSs and experiment with them.
Get the rest of this report from: