> I could be wrong about the following so let me know if you know for a
> _fact_ that I am.
Your not wrong. My internet cache is about 1/2 a gig, sure would hurt
mapping drives waiting for that to 'transfer over'.
> No. The only reason you came to this conclusion is because it "looks" like
> this is what is happening.
Correct, they folder contains a desktop.ini file which invokes a name space
extension. The name space extension *always* browses your local Temporary
Internet Files regardless of the directory it's started in.
>From the original post the author stated:
> common investigation, it should lead you to something. You
> will find most recently visited sites, as well as cookies
> from the intruding computer (turn the tables on them =) ).
All I can get from this is the original poster shared a drive and then
noticed that his temp files 'appeared' to now be on the server. I can see
how one could initially get confused browsing 'your files' now apparently
residing there.
I guess Greg won't be updating the rootkit code to nuke the TIF files
anytime soon :)
Bill Sobel
Symantec
