Jump to content


Photo

Mystery subdirectory in 'Recycler'


  • This topic is locked This topic is locked
2 replies to this topic

#1 PC_Chick

PC_Chick

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 November 2005 - 02:57 PM

I tend to over-explain, I'll try my best to keep this short.

I'm one of the network administrators for my company. I was looking through our users home directories for *.exe's. These are usually games and stuff that they are not allowed to bring into work.

Normally speaking, because of the restrictions we place on user accounts, users are restricted from directly accessing their local hard drives and they do not have a "Recycle Bin" in their network home directory. In the course of looking for exe's, however, I found 5 users who had a "Recycler" subdirectory in their "My Documents" directory. It was flagged as system and hidden. Looking inside of it, there was only another subdirectory. The subdirectory had a name something like S-1-5-21-2087260228-1248616834-60295696-3921 (don't Google that name, I'm not sure I typed it correctly). Their names all followed that same naming convention except the last 4 numbers which were different for each of my users who had a "recycler" subdirectory. Like the "recycler" directory, these directories were also flagged as system and hidden.

Inside of each of those "S-1-5-etc" directories were several files. Some had WPD extensions (Word Perfect documents, we use WP at work), some had XLS, TXT or DOC extensions. Each of these mystery subdirectories also contained at least 1 file with an EXE extension; that's how I found these mystery directories in the first place.

The files in all these mystery subdirectories had names beginning with D@ followed by a unique number which, for most part, increased over time. D@1.WPD, D@2.XLS, D@3.WPD, D@4.TXT, so on. The WPD, DOC and XLS files are normal document files. There were no files with normal looking names and, as far as I can tell, that is not the normal naming convention used by a true Recycle bin directory.

I wasn't able to find out much about the EXE's. They didn't have the exact same date/time stamps nor were they the same size. Googling the file names was a waste of effort because both Google and Yahoo's search engine dump the @ from the search.

As I said, a "recycle" directory is not normal in our environment. Could these files be evidence that these users are infected with a keylogger? Any help or advice would be greatly appreciated.

#2 Alpha_Blue

Alpha_Blue

    Malware Fyta

  • Full Member
  • PipPipPipPip
  • 417 posts

Posted 05 November 2005 - 06:47 PM

That is very odd indeed. That S-1-5-21-2087260228-1248616834-60295696-3921 sounds like a SID number but I don't know a whole lot about it..better get help from the experts.

#3 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 06 November 2005 - 12:06 AM

Those subdirectories are for the different accounts. I believe the number is like a user ID.

See http://support.micro...kb;en-us;187122 and/or http://support.micro...kb;en-us;171694
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE




Member of UNITE
Support SpywareInfo Forum - click the button