Re: File on desktop called "~"

["Patrick Nolan" <p.nolan () attbi com>]

> From what I can tell, it is a parsing of contacts found in Outlook Express.
I have this file too, located in the root of drive C. The last modified date
for mine is June 04 07:13PM. There are two other files which have near the
same modification date and time -

pagefile.sys 06-04-03 07:32PM
hiberfil.sys 06-04-03 07:32PM

The file "~" also contains some CLSID references to "dsuiext.dll" (Directory
Service Common UI) and also the "default user ID" for Outlook Express. I
don't think this "~" file is related to anything viral.

Regards,

Patrick Nolan
Virus Researcher - Fortinet
pnolan () fortinet com
503-844-5998 (hm)
503-341-6335 (cell)


----- Original Message ----- 
From: "Sander van Vliet" <maxor () tref nl>
To: <rice () up edu>
Cc: <incidents () securityfocus com>
Sent: Thursday, June 12, 2003 1:45 PM
Subject: Re: File on desktop called "~"


| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| I have had the same issue on my XP workstation and Panda antivirus also
| does not recognise it. I did some hexdumping and I thought that it might
have
| been a core dump but given the microsoft design not very likely.
| I think this is some new worm but I didn't notice any weird e-mails
| passing through my network.
|
| - -- 
| - -----BEGIN PGP PUBLIC KEY BLOCK-----
| Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
|
| mQGiBD7lrmYRBAC5LTtYhAr8TfYlhvM4q+/kwr14O8rGWrRft/BVvXx0Uo//+Bgg
| XgJt1H0o7i8eQ2K2GR/q0i9agSL7wrEy6igzCT47hetWrLk51L7Ifd7AixaDNKtS
| Hpur6MzfNiuGVMfkYnz6XqA+P08zkPesPspbHNZ+vLwkszwZHcz95f1RywCgoIEQ
| jiNQ6YSYSAeC1sgj+nur5b8EAJq7Neret/I8jNOhTuP+zVcAYYr07JOeFyKV7HG6
| keD7OqTIo3vs+N3l6mEjEuapNVq7MmB+XDxM3SDmgVrvGmruxkg43NWCBEudSFTN
| TcAgd6zUh0y60hIwvSIuCn2KFgmIfRnFDxLosn3exHuXc1HEjxwtykZEAPi7Ah4C
| Jq/KA/9U72jNR2AWaNqjKiPsi17ofVxO6+s4vZsKwDVXfhwljD1RZfKfhN71JfUc
| GF/G3bdt5ngKSla4RarU8HpuFddP2t6EXik0mXpyU9Qdyg4MlZyxv6nNxYj5j/7g
| pj6W1aSZ9+wE97MZfnwWLwm+eZ6gO032/A/hcRJPcAqdlG9hZbQoU2FuZGVyIHZh
| biBWbGlldCAoTWF4b3IpIDxtYXhvckB0cmVmLm5sPohfBBMRAgAfBQI+5a5mBQkB
| 4TOABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC+fwuq4T95dcJXAJ9S+8/nFrToMsba
| lhxOIaDTwgKQbQCcD1T5r6GfXMnztJWc5gGp3jvYeH25Ag0EPuWuaRAIALJ5EyME
| Pf1QGkOECVjRaN91su/gPFv2YF3nSwBjgp8O00mIR9gT3UIdRu3N1RYTdov7JMdW
| v8YPTrxQaaYPZ3jkjFKpX9wRVM6JnzvhWs4fNbUWSELkcBAQRw5tcgVjEuyQDOn8
| d/COiAohEuYxAqINh5mHpLqsvkYUmtHL9gAXese0+lvhT63Bjl1n9tDMRV9RMRy7
| v4VwKgDRNLmnHzXmNGdO/JibEovTMhkwZINE8w5llxL+oHNEuyuxqdCJlp3GoCLj
| avety0fsl8ysD5mQ/6go/RVo5vr7jP37KK8A9X2jKcs0yO6uzhnTDM9la0dyGTyy
| BbhYsF6dJGKz3NcAAwUH+wSN3XTtmMolet+EEUdr/3vbnYcEfeqEdRQcnkQCFCDQ
| kspdsl/3La8kouICxg0GXYFfgyxaJxZuHk29tTYZs1EWAySXA9FHyTcK7oH49vQh
| sglWv8EtM5kL6R2IEA9ptKX/e0qCk9ajNPfDMSjQNO+a2AbbfSEnBZAuQVZZKZef
| RTWcM/u5P5o31aDbaK0iVpuIBo8EDC0hBPRAwy7VMDIdmIxqBhJD0ReIvEaZPIQv
| TsibIJOrUJZdYuxKR18/HL/xI8IrlldMipFri+2BZ1RdM43uQnr254OhjKshL4TC
| 1tk8dPlt8TAZaqiI4xNCvLQdjWX4C34Gl6Hhe5qLnz2ITAQYEQIADAUCPuWuaQUJ
| AeEzgAAKCRC+fwuq4T95dZ/SAJ9fgKGp2UsNqLwuw2OPbmHZiMdp5QCfc9oCCoSc
| nEsCHkpemgoMogzIGzo=
| =YG97
| - -----END PGP PUBLIC KEY BLOCK-----
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
|
| iD8DBQE+6OZUvn8LquE/eXURArZfAJ9DHWH13X7APql2ZxkklekTeQsuAwCeISXi
| +BO1ktWmYAtW6uGvwKoTpt4=
| =2AiG
| -----END PGP SIGNATURE-----
|
|
| --------------------------------------------------------------------------
--
| --------------------------------------------------------------------------
--
|


----------------------------------------------------------------------------
----------------------------------------------------------------------------