Malware

Webmoney and alternative data streams (ADS) in the NTFS file system

Hello.
I recently became interested in the topic of alternative data streams in NTFS (aka Alternate Data Streams, ADS) and at some point I decided to scan the file system - just for fun - to see if there are files with additional streams. Armed with Sysinternals' Streams program, which can browse files and directories recursively, I started scanning local drives.
There were many files with additional streams. For example, Thunderbird adds some threads for *.wdseml files. Also, you can often find ":Zone.Identifier:$DATA" streams, which, as I understand it, are added to files downloaded from the Internet. The data size in them is 46 or 26 bytes. The content is something like this:

[ZoneTransfer]
ZoneId=3

It was very interesting to learn all this until I came across the C:\ProgramData\TEMP directory , which already had two streams: :41ADDB8A:$DATA and :A064CECC:$DATA . The content is binary. When I tried to google the names of the streams, I only came across topics like: “caught a virus”, “how to get rid of a trojan”, and the like. Moreover, there is no additional information about what these threads are and what kind of program creates them. They are mentioned as part of the OTL listing, which, as I understand it, removes them in the course of its work.
"Fine!" - I thought - "Let me take them down too ...". Demolished. Disappeared. A couple of seconds later they reappeared. Took it down again. They reappeared. Rebooted in safe mode. Demolished. Didn't show up - great. I boot in normal mode and check again - there are none. I start to run the usual running programs one at a time and in parallel monitor whether they have reappeared.
I found out that these flows appear after the launch of Webmoney. When the keeper is running, it constantly adds them there after I delete them. It is necessary to close it, as they cease to appear after removal.
I am not a very experienced person in terms of working with binary code and I don’t know how to find out what kind of data is shoved into these streams. However, it is alarming that the wallet in which I store a certain amount of funds generates the files mentioned in the topics about the fight against viruses.
Actually, the whole question is: Has anyone encountered such behavior of the program, and is there any way to find out why Webmoney Keeper (Version 3.9.
Webmoney technical support did not contact.