Files\MSDN\MSDN8.0\Common\1033\dnmag02.hxs//stream//html/soap0204FIGURES.htm"
(Observe the transition from backslashes to forward slashes).
Alternate Data Streams or ADS.
From HijackThis ADS Spy...
---------------------------
HijackThis
---------------------------
Alternate Data Streams (ADSs) are pieces of info hidden as metadata on
files. They are not visible in Explorer and the size they take up is not
reported by Windows. Recent browser hijackers started hiding their files
inside ADSs, and very few anti-malware scanners detect this (yet). Use
ADS Spy to find and remove these streams. Note: this app also displays
legitimate ADS streams. Do not delete streams if you are not completely
sure
they are malicious!
---------------------------
OK
---------------------------
---------------------------
HijackThis
---------------------------
Using ADS Spy is very easy: just click 'Scan', wait until the scan
completes, then select the ADS streams you want to remove and click
'Remove
selected'. If you are unsure which streams to remove, ask someone for
help.
Don't delete streams if you don't know what they are! The three
checkboxes are: Quick Scan: only scans the Windows folder. So far all
known malware that uses ADS to hide itself, hides in the Windows folder.
Unchecking this will make ADS Spy scan the entire system (i.e. all
drives) .Ignore safe system info streams: Windows, Internet Explorer and
a few antivirus programs
use ADS to store metadata for certain folders and files. These streams
can safely be ignored, they are harmless. Calculate MD5 checksums of
streams: For antispyware program development or antivirus analysis only.
Note: the default settings of above three checkboxes should be fine for
most people. There's no need to change any of them unless you are a
developer or anti-malware expert.
---------------------------
OK
---------------------------
Any file on an NTFS formatted drive can have ADS, Alternate Data Streams.
On NTFS alternate data streams can be created by using the Summary tab.
[[A data stream is a sequence of bytes. An application populates the
stream
by writing data at specific offsets within the stream. The application
can then read the data by reading the same offsets in the read path.
Every file
has a main, unnamed stream associated with it, regardless of the file
system
used. However, NTFS supports additional named data streams in which each
data stream is an alternate sequence of bytes as illustrated in Figure x.
Applications can create additional named streams and access the streams
by referring to their names. This feature permits related data to be
managed as
a single unit. For example, a graphics program can store a thumbnail
image of a bitmap in a named data stream within the NTFS file containing
the image.]]
[[FAT volumes support only the main, unnamed stream, so if you try to
copy or move a file to a FAT volume or floppy disk, you receive an
error message as shown below. If you copy the file, all named data
streams and other attributes not supported by FAT are lost.]]
from...
Multiple Data Streams
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c13621675.mspx
Link has changed.
Working with File Systems
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c13621675.mspx
Click on...
Using the NTFS File System
and scroll down to...
Multiple Data Streams
Or do a Ctrl + F for Multiple Data Streams.
-----------------------
Confirm Stream Loss
-----------------------
The file 'xxxxxxxxxxxxx.zzz' has extra information
attached to it that might be lost if you continue copying. The
contents of the file will not be affected. Information that might be
lost includes:
Summary Info
Document Summary Info
Do you want to proceed anyway?
-----------------------
Click YES because there is nothing you can do about it.
With a Word .doc you can access Summary info from the File Properties
without opening the file or you can access that info by opening the file,
clicking File and then Properties.
If you add Comments to a .txt file, for example, the only way to access
that
info is from File Properties on the Context menu.
If you send that same .txt file with Comments to a floppy you will get
the Confirm Stream Loss warning. If you zip that same .txt file with
Comments and then send it to a floppy you do not get the Confirm Stream
Loss warning,
you just lose the Summary info.
With .txt files the Summary info is stored as an Alternate Data Stream.
With a .doc file the Summary info is stored in the file itself.
---------
NTFS Alternate (Multiple) Data Streams articles
The first four are short and to the point.
NTFS Data Streams - Windows Alternate Data Stream, NP.EXE
http://www.auditmypc.com/freescan/readingroom/ntfsstreams.asp
Windows Alternate Data Streams
http://www.bleepingcomputer.com/forums/tutorial25.html
Windows NTFS Alternate Data Streams
http://www.securityfocus.com/infocus/1822
NTFS Streams
http://www.alcpress.com/articles/ads.html
-----
Alternate Data Streams Threat or Menace Why Alternate Data Streams
http://www.informit.com/articles/article.asp?p=413685&rl=1
FAQ Alternate Data Streams in NTFS
http://www.heysoft.de/nt/ntfs-ads.htm
Fork (filesystem)
http://en.wikipedia.org/wiki/Alternate_data_stream
Hidden NTFS Alternate Data Streams (ADS) Explained - Are You At Risk?
http://www.diamondcs.com.au/web/streams/streams.htm
Hidden Threat Alternate Data Streams
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
NTFS Alternate Data Streams » Girl Geekette dotNet
http://www.girlgeekette.net/2005/09/16/ntfs-alternate-data-streams/
NTFS Data Streams
http://www.relsoft.net/datastreams.html
NTFS Streams - Everything you need to know (demos and tests included)
http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams
Practical Guide to Alternative Data Streams in NTFS
http://www.irongeek.com/i.php?page=security/altds
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
Anders F said:
I don't understand this. I had already searched with show
all files without result.
An example of a file that Kaspersky checks is
"C:\Program
Files\MSDN\MSDN8.0\Common\1033\dnmag02.hxs//stream//html/soap0204FIGURES.htm"
(Observe the transition from backslashes to forward slashes).
According to Explorer there is no soap0204FIGURES.htm file on the disk.
Answers inline
If I make a full anti-virus check with Kaspersky, it takes
two hours and a half, most of the time spent checking
"Program Files\MSDN\.../*.htm" files. If I omit the
"Program Files\MSDN" directory, it takes just one hour
to make the check.And the "Program Files\MSDN"
directory size is less then ten percent of just the
"Program Files" directory.
Where are these files?
- if all files are not visible..toggle the Folder Options/View
setting to show all files
I suppose they are inside some
sort of receptacle and that part of the time is used to
unpack them, but does this mean that there is much less
free space on my disk then Explorer tells me?
No.
I suppose these are not the only hidden files on my
computer (XP SP2). How can I find all hidden files,
how can I find the true free space (Explorer is set to
show all, it does not seem to help)?
See above
Thanks for any help
Anders
