Potential embarrassment, Joudres and alternate Streams

[Roedy Green]

I have discovered a potential embarrassment to Java developers.

Microsoft Windows has a rarely used feature called alternate streams,
something like Mac file forks, that allows you to attach little
descriptive files of metadata to your files.

The SysInternals people, now bought out by Microsoft, have a utility
called STREAMS.EXE to detect and optionally delete them.
http://www.microsoft.com/technet/sysinternals/FileAndDisk/Streams.mspx

The Joudres virus exploits this and hides in the alternate stream/
fork. It attaches itself to every image file on your machine. You
can then unwittingly pass it on embedded in image files. It does not
appear to be all that harmful, but it could be embarrassing.

Neither of the three virus checkers I used are aware of it. It never
occurs to them to look in image files, or in the alternate stream.

I discovered the little beasts when I was defragging and found tiny
locked files interfering with the defrag process. You can perhaps
most quickly detect if you have the problem with a trial version of
O&O defragger http://mindprod.com/jgloss/defragger.html
and do an analyse followed by a double click on the drive and look at
the locked file report. Look for files of the form
myfile.png$joudres....

 

[Lew]

I discovered the little beasts when I was defragging and found tiny
locked files interfering with the defrag process. You can perhaps
most quickly detect if you have the problem with a trial version of
O&O defragger http://mindprod.com/jgloss/defragger.html
and do an analyse followed by a double click on the drive and look at
the locked file report. Look for files of the form
myfile.png$joudres....

Ad-Aware checks alternate streams.

 

[Jeff Higgins]

Microsoft Windows has a rarely used feature called alternate streams,

<http://msdn2.microsoft.com/en-us/library/aa364404.aspx>

<http://msdn.microsoft.com/msdnmag/issues/06/01/NETMatters/>