From: "John Beamish" 

And just after posting my original message I found this:

http://www.cio.com/blog_view.html?CID=23011

'Invisible' Rootkit Heralds Trouble Ahead

The sixth and seventh paras read:

F-Secure noted Rustockƒ ™s use of NTFSƒ ™ Alternate Data Streams (ADS) as
one significant example of its advanced behavior.

"Saving your data into Alternate Data Streams is usually enough to hide
 from many tools," wrote F-Secure researcher Antti Tikkanen in a company
blog.



On Fri, 14 Jul 2006 13:15:55 -0400, John Beamish  wrote:

> The more technically-minded probably already knew about this.  We mere
> mortal, otoh, are not so knowledgeable!
>
>
> Start here:
> http://www.heysoft.de/nt/ntfs-ads.htm
>
> What is an alternate data stream (ADS)?
>
> In NTFS, a file consits of different data streams. One stream holds the
> security information (access rights and such things), another one holds
> the "real data" you expect to be in a file. There may be
another stream
> with link information instead of the real data stream, if the file
> actually is a link. And there may be alternate data streams, holding
> data the same way the standard data stream does.
>
>
>
> Continue here: (thanks, Geo, for the link)
> http://www.sysinternals.com/Utilities/Streams.html

--- BBBS/NT v4.01 Flag-5