I have a new person sharing my home PC at the moment, I noticed in ZoneAlarm a file called: File Transfer Program had tried to access the internet, it is located in:

C:\Windows\System32\ftp.exe
29/08/2002

When I went ot investigate I have found lots of other .exe files with the same date or 24/08/2002 and same file picture. This may be just a coincidence, however I don't remember seeing them there before...

Help appreciated...

Cheers ;D

C:\Windows\System32\ftp.exe
29/08/2002

could just be legit stuff..even a update if you have win2000 or XP..

They breakdown like this..

ACTMOVIE.EXE (DirectShow Setup Tool). Part of the the DirectX series of tools. Used for media capture and playback.


ALG.EXE (Application Layer Gateway Service). Used to configure the different accessibility options of your system.

APPEND.EXE (Append). Allows applications to open or access files in folders other than the current working, or active, folder by appending the path parameter. This utility is from MS-DOS 5.0.


ARP.EXE (ARP). The Address Resolution Protocol command-line utility used to manage the ARP cache on TCP/IP systems.

ASR_FMT.EXE (ASR). The Automated System Recovery utility.

ASR_LDM.EXE (ASR). The Logical Disk Manager ASR utility.


ASR_PFU.EXE (ASR). The Automated System Recovery Protected Files utility.

AT.EXE (AT). Used to schedule tasks to occur at a specific time and date. It requires that the Scheduler service be running.






Here's what I found on ZA help for question "what's passive mode anyway?"

FTP

If you are having difficulties with your FTP program, make sure that the FTP program is on your Programs List.

FTP programs require local server rights. The configuration needs to have Passive or PASV mode enabled, which tells the client to use the same port for communication in both directions. Enable that option in your FTP program."


But also the SDbot and Patch came later in 2005..
The worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

http://tech-recipes.com/modules.php?name=Forums&file=viewtopic&t=664&view=previous

Good job Primster,

Timely responses is what it's all about. Kinda like your daily 'Hoorah Brigade' security reports!!

Bunkered down in Battle Creek, Battered ed

Should maybe PM Blackspear that as he's most likely forgotten he even made that post...:P

I'll second that! ;D;)

GF