Bugger

I suspect a Thumb.db file...

26 posts in this topic

I don't know if i posted this in the right or wrong place since there's no place specified for windows... Anyways,

Here's the MSN Messenger scenario, short version:

ME> HI

HIM> Hey, i can steal your email and hack your computer

ME> Lemme see what you can do

*HIM sent me a Thumb.db file

*ME renamed it to Thumb.db.file

*ME opened it with WinHEX and couldn't understand a thing

I'm sure its not a normal Thumb.db file... Can someone mess around with it and lemme know what made that retard send me that file?

I'll zip it and attach it

Thumbs.db.file.zip

0

Share this post


Link to post
Share on other sites

It appears to be an office document. Probably infected with some trojan or something.

Be really careful with this file.

0

Share this post


Link to post
Share on other sites
It appears to be an office document. Probably infected with some trojan or something.

Be really careful with this file.

Open office while in linux, see if there is any readable text? Being that its title is Thumb.db its going to trigger if its dropped into a file and windows will AUTOMATICALLY try to read it, probably executing something in turn. I am not at a stable enough connection to bring it into a secure environment and let it do its thing so I can watch it.

Edited by Zapperlink
0

Share this post


Link to post
Share on other sites

If I open it, is there anyway he can do anything to me. Can he see that anyone besides the original recipient has opened it and go after them? Because if not, then I will check it out. I am about to re-install anyway and don't have anything I would consider private data on my computer.

0

Share this post


Link to post
Share on other sites

I don't really know... but supposed to hit ya or something since he didn't customize it just for me... we just randomly met

0

Share this post


Link to post
Share on other sites
If I open it, is there anyway he can do anything to me. Can he see that anyone besides the original recipient has opened it and go after them? Because if not, then I will check it out. I am about to re-install anyway and don't have anything I would consider private data on my computer.

I would advise strongly against opening it, especially on Microsoft Word on Windows. Figure out how to extract whatever scripts at attached to this file, if any. It could be bluff, or a file infected with some virus, or even a trojan. I'm really not familiar with the capabilities and restrictions of scripts on modern versions of office (the last version I actually owned was Office 95), so I wouldn't rule anything out.

0

Share this post


Link to post
Share on other sites

Well, like I said. I have no private data on my computer and I am the only computer on the network. Also, I am about to install Linux on this computer as soon as I back up a few things. So I don't really see the harm in me opening it. If I am wrong about the safety o me opening this, let me know.

0

Share this post


Link to post
Share on other sites

Well, like I said. I have no private data on my computer and I am the only computer on the network. Also, I am about to install Linux on this computer as soon as I back up a few things. So I don't really see the harm in me opening it. If I am wrong about the safety o me opening this, let me know.

Also, I don't know much about the "Thumbs.db" files. They have always been a mystery to me. What would be the best way to examine it?

EDIT: I don't know why that posted twice.

Edited by L33T_j0sH
0

Share this post


Link to post
Share on other sites
Also, I don't know much about the "Thumbs.db" files. They have always been a mystery to me. What would be the best way to examine it?

thumb.db file stands for a mini-image database.

What that means is normally it stores small versions of like jpg foto's, and when you use explorer (my computer) to view those pictures, explorer automaticly reads the contents of the thumb.db so it can show you what pictures are in that folder, it also stores icons from programs, so technicaly it is possible to use it as an virus, but it will only be executed when you open the folder with explorer, i think there is no way to directly execute it.

0

Share this post


Link to post
Share on other sites
Also, I don't know much about the "Thumbs.db" files. They have always been a mystery to me. What would be the best way to examine it?

thumb.db file stands for a mini-image database.

What that means is normally it stores small versions of like jpg foto's, and when you use explorer (my computer) to view those pictures, explorer automaticly reads the contents of the thumb.db so it can show you what pictures are in that folder, it also stores icons from programs, so technicaly it is possible to use it as an virus, but it will only be executed when you open the folder with explorer, i think there is no way to directly execute it.

With linux, Copy it down and save it as a text file for us to view :) thus disabling its vicious properties and making it safe to tinker with.

0

Share this post


Link to post
Share on other sites

you can try scanning it at jotti's to see what comes up. and run it in a vm, you could try using something like processmon to see what happens, just lookup 'analysis malware' and you'll find a load of software you can use to monitor what happens. as long as you use a vm you'll be fine, you can just delete the vm afterward.

Edited by iceni
0

Share this post


Link to post
Share on other sites
you can try scanning it at jotti's to see what comes up. and run it in a vm, you could try using something like processmon to see what happens, just lookup 'analysis malware' and you'll find a load of software you can use to monitor what happens. as long as you use a vm you'll be fine, you can just delete the vm afterward.

That was pure bullshit.

The Thumbs.db.file had similar contents to a thumbs.db I just unzipped from my My Music folder.

Its a dud.

7zip can unzip .db files.

CONTENTS of DOWNLOADED FILE:

01, 1, 2, 3, 02.

Etc. just little 2kb files just like the stock one in my My Music folder.

Edited by IndexPhinger
0

Share this post


Link to post
Share on other sites
you can try scanning it at jotti's to see what comes up. and run it in a vm, you could try using something like processmon to see what happens, just lookup 'analysis malware' and you'll find a load of software you can use to monitor what happens. as long as you use a vm you'll be fine, you can just delete the vm afterward.

That was pure bullshit.

The Thumbs.db.file had similar contents to a thumbs.db I just unzipped from my My Music folder.

Its a dud.

7zip can unzip .db files.

CONTENTS of DOWNLOADED FILE:

01, 1, 2, 3, 02.

Etc. just little 2kb files just like the stock one in my My Music folder.

i don't know why you're quoting my post saying "That was pure bullshit." :cry: lol smilies are so funny

i haven't seen the file. are Thumbs.db all the same? you can just compare it to a normal one then i suppose, it might even have the same checksum. i'm totally clueless with a hex editor, but wouldn't it be obvious if it had some kind of packed executable in it??? i'll download it now and look blankly at it in a hex editor

0

Share this post


Link to post
Share on other sites

Well, it was a thumbs.db file. The file command on Linux told me it was a Microsoft Office file. Anyway, more interesting things:

db$ 7z x Thumbs.db																  8:55PM

7-Zip 4.57 Copyright (c) 1999-2007 Igor Pavlov 2007-12-06
p7zip Version 4.57 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: Thumbs.db

Extracting 4
Extracting 2
Extracting 1
Extracting 3
Extracting 8
Extracting 6
Extracting 5
Extracting 7
Extracting 01
Extracting 9
Extracting 21
Extracting 11
Extracting Catalog

Everything is Ok

Files: 13
Size: 41623
Compressed: 47616
db$ for f in [0-9]*; do dd if="$f" of="$f".jpg bs=1 skip=12; done 8:55PM
3378+0 records in
3378+0 records out
3378 bytes (3.4 kB) copied, 0.00734465 s, 460 kB/s
1130+0 records in
1130+0 records out
1130 bytes (1.1 kB) copied, 0.00217833 s, 519 kB/s
3778+0 records in
3778+0 records out
3778 bytes (3.8 kB) copied, 0.0114624 s, 330 kB/s
4280+0 records in
4280+0 records out
4280 bytes (4.3 kB) copied, 0.0158996 s, 269 kB/s
3982+0 records in
3982+0 records out
3982 bytes (4.0 kB) copied, 0.0169607 s, 235 kB/s
2527+0 records in
2527+0 records out
2527 bytes (2.5 kB) copied, 0.00780562 s, 324 kB/s
3392+0 records in
3392+0 records out
3392 bytes (3.4 kB) copied, 0.0122134 s, 278 kB/s
2722+0 records in
2722+0 records out
2722 bytes (2.7 kB) copied, 0.00735806 s, 370 kB/s
4932+0 records in
4932+0 records out
4932 bytes (4.9 kB) copied, 0.0201062 s, 245 kB/s
4047+0 records in
4047+0 records out
4047 bytes (4.0 kB) copied, 0.0151704 s, 267 kB/s
3888+0 records in
3888+0 records out
3888 bytes (3.9 kB) copied, 0.0156858 s, 248 kB/s
2893+0 records in
2893+0 records out
2893 bytes (2.9 kB) copied, 0.00781233 s, 370 kB/s
db$ zip thumbs.zip *.jpg 8:55PM
adding: 01.jpg (deflated 4%)
adding: 11.jpg (deflated 4%)
adding: 1.jpg (deflated 18%)
adding: 21.jpg (deflated 4%)
adding: 2.jpg (deflated 3%)
adding: 3.jpg (deflated 6%)
adding: 4.jpg (deflated 4%)
adding: 5.jpg (deflated 7%)
adding: 6.jpg (deflated 3%)
adding: 7.jpg (deflated 4%)
adding: 8.jpg (deflated 4%)
adding: 9.jpg (deflated 5%)
db$ 8:55PM

Attached are the thumbnails in JPEG format.

thumbs.zip

0

Share this post


Link to post
Share on other sites

results at jotti's

A-Squared - Found nothing

AntiVir - Found nothing

ArcaVir - Found nothing

Avast - Found nothing

AVG Antivirus - Found nothing

BitDefender - Found nothing

ClamAV - Found nothing

CPsecure - Found nothing

Dr.Web - Found nothing

F-Prot Antivirus - Found nothing

F-Secure Anti-Virus - Found nothing

Ikarus - Found nothing

Kaspersky Anti-Virus - Found nothing

NOD32 - Found nothing

Norman Virus Control - Found nothing

Panda Antivirus - Found nothing

Sophos Antivirus - Found nothing

VirusBuster - Found nothing

VBA32 - Found nothing

Found nothing with all the scanners! i looked at it in hexdump and strings and i think it's a Thumbs.db :P

0

Share this post


Link to post
Share on other sites
Well, it was a thumbs.db file. The file command on Linux told me it was a Microsoft Office file. Anyway, more interesting things:

db$ 7z x Thumbs.db																  8:55PM

7-Zip 4.57 Copyright (c) 1999-2007 Igor Pavlov 2007-12-06
p7zip Version 4.57 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: Thumbs.db

Extracting 4
Extracting 2
Extracting 1
Extracting 3
Extracting 8
Extracting 6
Extracting 5
Extracting 7
Extracting 01
Extracting 9
Extracting 21
Extracting 11
Extracting Catalog

Everything is Ok

Files: 13
Size: 41623
Compressed: 47616
db$ for f in [0-9]*; do dd if="$f" of="$f".jpg bs=1 skip=12; done 8:55PM
3378+0 records in
3378+0 records out
3378 bytes (3.4 kB) copied, 0.00734465 s, 460 kB/s
1130+0 records in
1130+0 records out
1130 bytes (1.1 kB) copied, 0.00217833 s, 519 kB/s
3778+0 records in
3778+0 records out
3778 bytes (3.8 kB) copied, 0.0114624 s, 330 kB/s
4280+0 records in
4280+0 records out
4280 bytes (4.3 kB) copied, 0.0158996 s, 269 kB/s
3982+0 records in
3982+0 records out
3982 bytes (4.0 kB) copied, 0.0169607 s, 235 kB/s
2527+0 records in
2527+0 records out
2527 bytes (2.5 kB) copied, 0.00780562 s, 324 kB/s
3392+0 records in
3392+0 records out
3392 bytes (3.4 kB) copied, 0.0122134 s, 278 kB/s
2722+0 records in
2722+0 records out
2722 bytes (2.7 kB) copied, 0.00735806 s, 370 kB/s
4932+0 records in
4932+0 records out
4932 bytes (4.9 kB) copied, 0.0201062 s, 245 kB/s
4047+0 records in
4047+0 records out
4047 bytes (4.0 kB) copied, 0.0151704 s, 267 kB/s
3888+0 records in
3888+0 records out
3888 bytes (3.9 kB) copied, 0.0156858 s, 248 kB/s
2893+0 records in
2893+0 records out
2893 bytes (2.9 kB) copied, 0.00781233 s, 370 kB/s
db$ zip thumbs.zip *.jpg 8:55PM
adding: 01.jpg (deflated 4%)
adding: 11.jpg (deflated 4%)
adding: 1.jpg (deflated 18%)
adding: 21.jpg (deflated 4%)
adding: 2.jpg (deflated 3%)
adding: 3.jpg (deflated 6%)
adding: 4.jpg (deflated 4%)
adding: 5.jpg (deflated 7%)
adding: 6.jpg (deflated 3%)
adding: 7.jpg (deflated 4%)
adding: 8.jpg (deflated 4%)
adding: 9.jpg (deflated 5%)
db$ 8:55PM

Attached are the thumbnails in JPEG format.

that's pretty cool, i didn't know you could extract the thumbs on linux. burberry :DB)

0

Share this post


Link to post
Share on other sites

It's just a guess in the dark, but isn't it possible to make a virus of an archive itself? so when you try to unpack it, you activate it?

0

Share this post


Link to post
Share on other sites

Well, it's certainly possible to hide a trojan inside a self-extracting archive. Self-extracting archives are actually small executable archive extractor programs with the archived material embedded within the same file. Many archiving/compression applications (Winzip, WinRAR, Stuffit, etc.) have the capability to create self-extracting archives. They are useful for legitimate purposes (especially software distribution) because the user doesn't need to have an archiving application installed on his machine to unpack their contents. However, it's important to be careful when working with these because they are executable after all, and could contain malware. It's a good habit to always run a virus scan on any self-extracting archive before opening it. These kinds of archives are also very popular with software pirates, so you should be extra careful if you download material from an untrusted source and it comes packaged in this way.

BTW, self-extracting archives usually have extensions like .EXE, .COM, .SFX, .SEA, etc. So they're pretty easy to differentiate from normal archive files. Before clicking on any file, it's a good idea to be sure you know the meaning of its filename extension. ;)

Plain old archives aren't executable, so the only way a trojan could execute upon extraction would be if the mark was using some kind of program with a buffer overflow vulnerability in its archive extraction functionality. Even in that case, the attack would only work against whatever particular software had that vulnerability. If there were such a vulnerability in, say, a particular version of Winzip, then the malicious code could be executed if the mark was using that version of Winzip.

A quick Googling of the string:

archive extraction vulnerability "buffer overflow"

Reveals a few cases of this type of vulnerability over the past few years within certain software applications when handling certain types of archives. I'm sure most of these have been patched by now, but who knows?

Another thing to keep in mind about archives is that if they're encrypted, a virus scan won't detect malware in their contents. So with an encrypted archive, you should run a virus scanner on any programs that came out of them after you've entered the password and extracted them.

that's pretty cool, i didn't know you could extract the thumbs on linux. burberry :DB)

Burberry, indeed. Maybe the "hacker" who sent the file is a member of the popular UK criminal youth culture known as chavs (basically, British wiggers).

Lucky for Bugger, he met this chap on the Internets instead of IRL, cause the guy prolly would've butted him in the face and stole his wallet.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

Our dear phriend was scared by a lowly chav.

0

Share this post


Link to post
Share on other sites

Well, you can't be too careful.

I'm curious about the conversation that led up to this exchange in the first place:

HIM> Hey, i can steal your email and hack your computer

ME> Lemme see what you can do

*HIM sent me a Thumb.db file

*ME renamed it to Thumb.db.file

*ME opened it with WinHEX and couldn't understand a thing

I'm sure its not a normal Thumb.db file... Can someone mess around with it and lemme know what made that retard send me that file?

0

Share this post


Link to post
Share on other sites

Windows reads and writes to Thumbs.db files; it doesn't execute them.

The only way it could possibly be dangerous, is for it to implement a buffer overrun attack. But since no such vulnerabilities are known, this is highly unlikely. (Happy fuzzing)

0

Share this post


Link to post
Share on other sites

I remember looking up the thumbs.db file a few months back because I always got warnings about deleting a system file whenever I deleted a folder. ( Because I opted to show system files instead of hide them under folder options.) I might be stating the obvious here, but the archives are miniature databases/archives of images in a folder; they are used to optimize performance of displaying a folder in thumbnail and filmstrip display modes. I decided to turn them off because they were a forensic vulnerability.

I also learned that Mac OSX stores thumbnails and view settings (such as icon posistions) in a similar way in a files named .DS_Store. There is an even more troubling issue with the thumbnail stores on MAC OS X because Finder creates them in every folder you access, even on remote network shares. Many might see why that troubles me.

0

Share this post


Link to post
Share on other sites
Windows reads and writes to Thumbs.db files; it doesn't execute them.

The only way it could possibly be dangerous, is for it to implement a buffer overrun attack. But since no such vulnerabilities are known, this is highly unlikely. (Happy fuzzing)

Well, none are know to you or me, but maybe this chav hacker guy knows something we dont!'

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now