ntfs streams aare a little known feature that despite being enabled and accessable to viruses are completely hidden from a user and are even buggy to acces via the command line. http://en.wikipedia.org/wiki/Fork_(filesystem) http://en.wikipedia.org/wiki/NTFS ADS
Massive amounts of data can be stored this way--without affecting the size of the file it is attached to--, viruses hide this way, they then just need a tiny hook to run /boot.ini:bigbadvirus.exe for example, the only non-programming way to kill this (if you know about it) is to move the file onto a non-stream support os and back again.
I've allways found the best way to debug is to search all files modified since the infection and cscan them, but as your av inst able to scan streams there is a big way to slip trough.
Log in to post a comment.