Is this a new bug (gone wrong)
Results 1 to 5 of 5

Thread: Is this a new bug (gone wrong)

  1. #1
    Member
    Join Date
    Aug 2005
    Posts
    41

    Is this a new bug (gone wrong)

    I was at my fathers house yesterday, his PC had what may be a bug.

    My father has been a programmer since the late 70's, and no one is allowed to use his machine, but me (programmer since the late 80's). I mention this to you so you know this is unlikely to be user related.

    He had a file named '~' in the C:\ directory. The file is a binary file, that when hexed had what looked something like his address book.

    Is this familiar to any of you security folks?

    I hope I put this in the right forum.
    http://www.AntiOnline.com/sig.php?imageid=789\"A dark angel of sin, preying deep from within...\" - Rob Halford

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    No offence to your "this is unlikely to be user related" but I've found that when that is said.. it usually is user related. Also no offence to your abilities as a programmer but being able to program doesn't mean you know **** about the actual computer... Two very important things to keep in mind.. (Spyware/Malware is all user related... an uneducated user)... This is not meant to be disrespectful but to be enlightening.

    http://www.sysinternals.com/Utilities/Filemon.html.

    Above is a handy utility that lets you track all activities involving your file system. It's entirely possible that he file is supposed to be there... Microsoft applications are notorious for making back-ups (or simply copies if you prefer as it's not really a back-up) of currently accessed files... If the application/system should happen to crash while one of these files are open... the back-up is never cleanly removed and remains behind. It's possible that this was a back-up of the address book and Outlook, OE, or whatever you may use and a crash left the back-up behind.

    Check and see if you have any hidden services or executables.. I prefer tasklist and tasklist /svc from the command line for these purposes.

    If you aren't finding any additional services or binaries, and you know your OS is up-to-date then I'd run MS Anti-Spyware, SpyBot S&D and AdAware... and see if they uncover anything.. If you have a Host Based IDS you may want to check for registry changes and if you have a firewall or network IDS you could check for large quantities of email being sent (since it looks like an address book)... If you are not finding anything is these errors, I'd chalk it up to user related or OS related.. Windows is notorious for things randomly appearing that weren't previously there.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Banned
    Join Date
    May 2003
    Posts
    1,004
    HTRegz... in the future, before you are so rude make sure you have some clue what you are talking about. People expect me to be a dick, but you're a moderator...

    The "~" file is the result of a patched Outlook Express, previously the files were called: "<username>.wa~" after applying MS03-014 (Cumulative OE patch) the file name changes. This new ~ may appear on the desktop, in the C:\ directory. If you wish to move this "~" file, simply delete it and modify your OE shortcut's "Start in" field. (which can also be useful for jailing the application if you wish)

    This file is nothing more than a backup of your address book, as you noted and is in no way related to a crash, hidden services/executables, or any spy/malware.

    Windows is notorious for things randomly appearing that weren't previously there.
    A lack of understanding doesn't make it random.

    cheers,

    catch

  4. #4
    Member
    Join Date
    Aug 2005
    Posts
    41
    catch,

    Thanks. I asked my father, he said it was on the desktop. He had moved it to C:\ to keep 'the bug' from working.

    I've been programming in pure Windows API for 15+ years and apparently I was just getting lucky with all those thousands of system calls. With that luck, maybe I should quit my job and buy some lotto tickets.
    http://www.AntiOnline.com/sig.php?imageid=789\"A dark angel of sin, preying deep from within...\" - Rob Halford

  5. #5
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    Seriously read a TFM the lot of you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides