[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Email Harvesting virus?

Joel,
I have seen this question, and other similar questions about the file called "~" (tilde), several times in various places lately. This was the answer for them, I am sure it will be for you.....
It's an artifact from a MS Cumulative patch for Outlook. See here: http://www.pchell.com/support/tildefile.shtml

I didn't open your attachment, but I think you just sent your customers address book to this list.

Good luck,
Mike

At 09:44 PM 10/6/2003 -0500, Joel R. Helgeson wrote:
I came across an intersting event today. I haven't been able to research it as much as I'd like, but I'd like to toss it out to the community just the same.

A customers machine appears to be infected with some type of malware that apparently harvests email addresses and puts them into a file named '~'. Just the tilde ~, no extention. This file is created under the C:\Documents and Settings\%username%\~. I have attached a zipped copy of the file for refrence.

I came across the file earlier today, renamed it and copied it off to a keychain USB drive for later analysis. Well, the file re-created itself and the malware creating it is not immediately apparent. I've scanned all the running apps but I haven't had much time to investigate.

Any ideas?


Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life."

**************************************************
Michael J. McCafferty
Principal, Security Engineer
M5 Computer Security
858-576-7325 Voice
http://www.m5computersecurity.com
**************************************************
--- "If you build it, they will hack !" --- 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html