September 3rd, 2005, 08:44 AM
Is this a new bug (gone wrong)
I was at my fathers house yesterday, his PC had what may be a bug.
My father has been a programmer since the late 70's, and no one is allowed to use his machine, but me (programmer since the late 80's). I mention this to you so you know this is unlikely to be user related.
He had a file named '~' in the C:\ directory. The file is a binary file, that when hexed had what looked something like his address book.
Is this familiar to any of you security folks?
I hope I put this in the right forum.
September 3rd, 2005, 09:16 AM
No offence to your "this is unlikely to be user related" but I've found that when that is said.. it usually is user related. Also no offence to your abilities as a programmer but being able to program doesn't mean you know **** about the actual computer... Two very important things to keep in mind.. (Spyware/Malware is all user related... an uneducated user)... This is not meant to be disrespectful but to be enlightening.
Above is a handy utility that lets you track all activities involving your file system. It's entirely possible that he file is supposed to be there... Microsoft applications are notorious for making back-ups (or simply copies if you prefer as it's not really a back-up) of currently accessed files... If the application/system should happen to crash while one of these files are open... the back-up is never cleanly removed and remains behind. It's possible that this was a back-up of the address book and Outlook, OE, or whatever you may use and a crash left the back-up behind.
Check and see if you have any hidden services or executables.. I prefer tasklist and tasklist /svc from the command line for these purposes.
If you aren't finding any additional services or binaries, and you know your OS is up-to-date then I'd run MS Anti-Spyware, SpyBot S&D and AdAware... and see if they uncover anything.. If you have a Host Based IDS you may want to check for registry changes and if you have a firewall or network IDS you could check for large quantities of email being sent (since it looks like an address book)... If you are not finding anything is these errors, I'd chalk it up to user related or OS related.. Windows is notorious for things randomly appearing that weren't previously there.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
September 3rd, 2005, 09:33 AM
HTRegz... in the future, before you are so rude make sure you have some clue what you are talking about. People expect me to be a dick, but you're a moderator...
The "~" file is the result of a patched Outlook Express, previously the files were called: "<username>.wa~" after applying MS03-014 (Cumulative OE patch) the file name changes. This new ~ may appear on the desktop, in the C:\ directory. If you wish to move this "~" file, simply delete it and modify your OE shortcut's "Start in" field. (which can also be useful for jailing the application if you wish)
This file is nothing more than a backup of your address book, as you noted and is in no way related to a crash, hidden services/executables, or any spy/malware.
A lack of understanding doesn't make it random.
Windows is notorious for things randomly appearing that weren't previously there.
September 3rd, 2005, 05:18 PM
Thanks. I asked my father, he said it was on the desktop. He had moved it to C:\ to keep 'the bug' from working.
I've been programming in pure Windows API for 15+ years and apparently I was just getting lucky with all those thousands of system calls. With that luck, maybe I should quit my job and buy some lotto tickets.
September 4th, 2005, 06:53 AM
Seriously read a TFM the lot of you.