Girl Geekette dotNet

Heads up, once again, there is another PayPal Scam going around that might look legitimate to some. In it, the email states you have added a new email address to your PayPal account and wants you to be aware of this. If you don’t believe it is right, it gives you a link to log in and check and protest.

The email reads:

——– Original Message ——–
From:  - Tue Sep 20 17:36:28 2005
X-Account-Key:  account3
X-UIDL:  i^N"!og["!dld!!/l/!!
X-Mozilla-Status:  0001
X-Mozilla-Status2:  00000000
Return-Path:  guest@bf-l.ch
Received:  from smtp.bf-l.ch (194-158-242-54.adslpremium.ch [194.158.242.54]) 
Tue, 20 Sep 2005 16:32:07 -0500 (CDT) (envelope-from guest@bf-l.ch)
Received:  by smtp.bf-l.ch (Postfix, from userid 520) id 307652CDC2; Tue, 20 Sep 2005 23:31:55 +0200 (CEST)
To:  kyralea@tranquility.net
Subject:  New email address added to your PayPal account !
From:  service@paypal.com <service@paypal.com>
Content-Type:  text/html
Message-Id:  <20050920213155.307652CDC2@smtp.bf-l.ch>
Date:  Tue, 20 Sep 2005 23:31:55 +0200 (CEST)
X-milter-7bit-Pass:  YES
X-milter-date-PASS:  YES
X-UIDL:  i^N"!og["!dld!!/l/!!

As part of our security measures, we regularly screen activity in the
PayPal system. We recently noticed the following issue on your account:

We would like to ensure that your account was not accessed by an
unauthorized third party. Because protecting the security of your
account is our primary concern, we have limited access to sensitive PayPal
account features. We understand that this may be an inconvenience but please
understand that this temporary limitation is for your protection.
Case ID Number: PP-072-838-482

https://www.paypal.com/us/cgi-bin/webscr?cmd=complaint-view

For your protection, we have limited access to your account until
additional security measures can be completed. We apologize for any
inconvenience this may cause.

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Now, I have decided to test it using Windows 2003. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that opens in a new window):

ADS test using Windows 2003

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 4/3/2003 8:00AM and the size is 113KB.

Here is a listing in DOS that shows the directory with the copied calc.exe file.

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).

Notice the size of the calc program did not change, bit the timestamp (last modified time and date stamp) DID change.

3. Next, I executed the new ADS notepad.exe using the standard command start.

On the desktop, the NOTEPAD program popped up, even though I had executed the CALC program in the command line.

4. By using CTRL + ALT + DELETE to get the Task Manager, I noticed that my test varied a bit. In the task manager, I could clearly see that calc.exe was running (which I had executed at the command prompt) but, unlike the simple demonstration using Windows 2000, Windows 2003 displayed the calc.exe name and ADS command, much like Windows XP.

This is where I must stop and note that depending on the version of windows used, things can be displayed slightly different.