Re: Email Harvesting virus?

[Michael J McCafferty <mike () m5computersecurity com>]

Joel,
        I have seen this question, and other similar questions about the 
file called "~" (tilde), several times in various places lately. This was 
the answer for them, I am sure it will be for you.....
        It's an artifact from a MS Cumulative patch for Outlook. See 
here:  http://www.pchell.com/support/tildefile.shtml

        I didn't open your attachment, but I think you just sent your 
customers address book to this list.

Good luck,
Mike

At 09:44 PM 10/6/2003 -0500, Joel R. Helgeson wrote:
> I came across an intersting event today. I haven't been able to research 
> it as much as I'd like, but I'd like to toss it out to the community just 
> the same.
>
> A customers machine appears to be infected with some type of malware that 
> apparently harvests email addresses and puts them into a file named 
> '~'.  Just the tilde ~, no extention.  This file is created under the 
> C:\Documents and Settings\%username%\~.  I have attached a zipped copy of 
> the file for refrence.
>
> I came across the file earlier today, renamed it and copied it off to a 
> keychain USB drive for later analysis. Well, the file re-created itself 
> and the malware creating it is not immediately apparent.  I've scanned all 
> the running apps but I haven't had much time to investigate.
>
> Any ideas?
>
>
> Joel R. Helgeson
> Director of Networking & Security Services
> SymetriQ Corporation
>
> "Give a man fire, and he'll be warm for a day; set a man on fire, and 
> he'll be warm for the rest of his life."

**************************************************
Michael J. McCafferty
Principal, Security Engineer
M5 Computer Security
858-576-7325 Voice
http://www.m5computersecurity.com
**************************************************
--- "If you build it, they will hack !" --- 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html