RE: How to hide a file ?

[H C <keydet89 () yahoo com>]

John,

The below just goes to show you...don't believe
everything you read on the Internet.  The statement ""
An alternate stream file can't be executed directly
because of the colon in the name" is simply incorrect.
 The 'how' depends on the version of NTFS you're
on...NTFS4 (NT) or NTFS5 (2K)...but suffice it to say,
this is incorrect.  The guys from FoundStone have been
publishing how to do so on NTFS4 for a while now...use
the 'start' command:

c:\> type c:\winnt\notepad.exe > test.txt:np.exe

c:\> start test.txt:np.exe 

Notepad runs...

When I ran something similar on 2K...

c:\ads>type c:\winnt\notepad.exe > c:\ads:np.exe

This copied the executable into an ADS associated with
the directory listing.  When I ran it, it showed up as
'ads' in both the Task Manager and pslist.exe. 

Other tools provide equally interesting results.

> Grep'd from
> http://www.cknow.com/vtutor/vtntfsads.htm
>
> " An alternate stream file can't be executed
> directly because of the
> colon in the name (which is only used for drive
> letters at the command
> prompt), but the files can be exploited by viruses
> that make their way
> into files saved as part of the normal stream. In
> one such exploit the
> virus (Streams) creates a copy of itself as a
> temporary EXE file and
> then copies the original EXE file as an ADS file
> attached to the
> temporary EXE file. The temporary EXE file is then
> renamed to the
> original EXE name. Now, when the user tries to run
> the original file
> they actually run the virus which does its thing and
> then sends the
> original program file to the operating system which
> then runs the
> program. The only thing you might see is a slight
> delay in program
> start."



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/