NEWS FROM THE LAB - Thursday, August 19, 2004

Alternative data streams on your drive? Posted by Mikko @ 13:19 GMT

We've received some questions from users on why they are seeing new streams in their files lately. Alternative Data Streams (aka ADS) are hidden data areas that can be attached to any file on a NTFS drive. They are accessed via a filename like normal-file.txt:hiddenstreamdata.

Turns out SP2 for Windows XP changes the way how Internet Explorer and Outlook tag files when you download them from the internet and save to your hard drive. They create a new stream called Zone.Identifier to the file.

Typical content of such stream would be:


You can find streams from your files with tools like /> LADS from Heysoft.


Another common stream you're likely to find is called AFP_AFPINFO. Also some picture tools like to create streams to image files.

Streams are used by many viruses, too. This includes Potok, Stream and several variants of Dumaru and Afcore trojan.