From what I can tell, it is a parsing of contacts found in Outlook Express. I have this file too, located in the root of drive C. The last modified date for mine is June 04 07:13PM. There are two other files which have near the same modification date and time - pagefile.sys 06-04-03 07:32PM hiberfil.sys 06-04-03 07:32PM The file "~" also contains some CLSID references to "dsuiext.dll" (Directory Service Common UI) and also the "default user ID" for Outlook Express. I don't think this "~" file is related to anything viral. Regards, Patrick Nolan Virus Researcher - Fortinet pnolanat_private 503-844-5998 (hm) 503-341-6335 (cell) ----- Original Message ----- From: "Sander van Vliet" <maxorat_private> To: <riceat_private> Cc: <incidentsat_private> Sent: Thursday, June 12, 2003 1:45 PM Subject: Re: File on desktop called "~" | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | I have had the same issue on my XP workstation and Panda antivirus also | does not recognise it. I did some hexdumping and I thought that it might have | been a core dump but given the microsoft design not very likely. | I think this is some new worm but I didn't notice any weird e-mails | passing through my network. | | - -- | - -----BEGIN PGP PUBLIC KEY BLOCK----- | Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) | | mQGiBD7lrmYRBAC5LTtYhAr8TfYlhvM4q+/kwr14O8rGWrRft/BVvXx0Uo//+Bgg | XgJt1H0o7i8eQ2K2GR/q0i9agSL7wrEy6igzCT47hetWrLk51L7Ifd7AixaDNKtS | Hpur6MzfNiuGVMfkYnz6XqA+P08zkPesPspbHNZ+vLwkszwZHcz95f1RywCgoIEQ | jiNQ6YSYSAeC1sgj+nur5b8EAJq7Neret/I8jNOhTuP+zVcAYYr07JOeFyKV7HG6 | keD7OqTIo3vs+N3l6mEjEuapNVq7MmB+XDxM3SDmgVrvGmruxkg43NWCBEudSFTN | TcAgd6zUh0y60hIwvSIuCn2KFgmIfRnFDxLosn3exHuXc1HEjxwtykZEAPi7Ah4C | Jq/KA/9U72jNR2AWaNqjKiPsi17ofVxO6+s4vZsKwDVXfhwljD1RZfKfhN71JfUc | GF/G3bdt5ngKSla4RarU8HpuFddP2t6EXik0mXpyU9Qdyg4MlZyxv6nNxYj5j/7g | pj6W1aSZ9+wE97MZfnwWLwm+eZ6gO032/A/hcRJPcAqdlG9hZbQoU2FuZGVyIHZh | biBWbGlldCAoTWF4b3IpIDxtYXhvckB0cmVmLm5sPohfBBMRAgAfBQI+5a5mBQkB | 4TOABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRC+fwuq4T95dcJXAJ9S+8/nFrToMsba | lhxOIaDTwgKQbQCcD1T5r6GfXMnztJWc5gGp3jvYeH25Ag0EPuWuaRAIALJ5EyME | Pf1QGkOECVjRaN91su/gPFv2YF3nSwBjgp8O00mIR9gT3UIdRu3N1RYTdov7JMdW | v8YPTrxQaaYPZ3jkjFKpX9wRVM6JnzvhWs4fNbUWSELkcBAQRw5tcgVjEuyQDOn8 | d/COiAohEuYxAqINh5mHpLqsvkYUmtHL9gAXese0+lvhT63Bjl1n9tDMRV9RMRy7 | v4VwKgDRNLmnHzXmNGdO/JibEovTMhkwZINE8w5llxL+oHNEuyuxqdCJlp3GoCLj | avety0fsl8ysD5mQ/6go/RVo5vr7jP37KK8A9X2jKcs0yO6uzhnTDM9la0dyGTyy | BbhYsF6dJGKz3NcAAwUH+wSN3XTtmMolet+EEUdr/3vbnYcEfeqEdRQcnkQCFCDQ | kspdsl/3La8kouICxg0GXYFfgyxaJxZuHk29tTYZs1EWAySXA9FHyTcK7oH49vQh | sglWv8EtM5kL6R2IEA9ptKX/e0qCk9ajNPfDMSjQNO+a2AbbfSEnBZAuQVZZKZef | RTWcM/u5P5o31aDbaK0iVpuIBo8EDC0hBPRAwy7VMDIdmIxqBhJD0ReIvEaZPIQv | TsibIJOrUJZdYuxKR18/HL/xI8IrlldMipFri+2BZ1RdM43uQnr254OhjKshL4TC | 1tk8dPlt8TAZaqiI4xNCvLQdjWX4C34Gl6Hhe5qLnz2ITAQYEQIADAUCPuWuaQUJ | AeEzgAAKCRC+fwuq4T95dZ/SAJ9fgKGp2UsNqLwuw2OPbmHZiMdp5QCfc9oCCoSc | nEsCHkpemgoMogzIGzo= | =YG97 | - -----END PGP PUBLIC KEY BLOCK----- | -----BEGIN PGP SIGNATURE----- | Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) | | iD8DBQE+6OZUvn8LquE/eXURArZfAJ9DHWH13X7APql2ZxkklekTeQsuAwCeISXi | +BO1ktWmYAtW6uGvwKoTpt4= | =2AiG | -----END PGP SIGNATURE----- | | | -------------------------------------------------------------------------- -- | -------------------------------------------------------------------------- -- | ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 13:26:26 PDT