What are these?

Discussion in 'other security issues & news' started by Blackspear, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Dec 2, 2002
    Gold Coast, Queensland, Australia
    I have a new person sharing my home PC at the moment, I noticed in ZoneAlarm a file called: File Transfer Program had tried to access the internet, it is located in:


    When I went ot investigate I have found lots of other .exe files with the same date or 24/08/2002 and same file picture. This may be just a coincidence, however I don't remember seeing them there before...

    Help appreciated...

    Cheers :D

    Attached Files:

  2. Primrose

    Primrose Registered Member

    Sep 21, 2002

    could just be legit stuff..even a update if you have win2000 or XP..

    They breakdown like this..

    ACTMOVIE.EXE (DirectShow Setup Tool). Part of the the DirectX series of tools. Used for media capture and playback.

    ALG.EXE (Application Layer Gateway Service). Used to configure the different accessibility options of your system.

    APPEND.EXE (Append). Allows applications to open or access files in folders other than the current working, or active, folder by appending the path parameter. This utility is from MS-DOS 5.0.

    ARP.EXE (ARP). The Address Resolution Protocol command-line utility used to manage the ARP cache on TCP/IP systems.

    ASR_FMT.EXE (ASR). The Automated System Recovery utility.

    ASR_LDM.EXE (ASR). The Logical Disk Manager ASR utility.

    ASR_PFU.EXE (ASR). The Automated System Recovery Protected Files utility.

    AT.EXE (AT). Used to schedule tasks to occur at a specific time and date. It requires that the Scheduler service be running.

    Here's what I found on ZA help for question "what's passive mode anyway?"


    If you are having difficulties with your FTP program, make sure that the FTP program is on your Programs List.

    FTP programs require local server rights. The configuration needs to have Passive or PASV mode enabled, which tells the client to use the same port for communication in both directions. Enable that option in your FTP program."

    But also the SDbot and Patch came later in 2005..
    The worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.


  3. big ed

    big ed Registered Member

    Aug 12, 2003
    Ye Olde New England
    Good job Primster,

    Timely responses is what it's all about. Kinda like your daily 'Hoorah Brigade' security reports!!

    Bunkered down in Battle Creek, Battered ed
  4. Joliet Jake

    Joliet Jake Registered Member

    Mar 1, 2005
    Should maybe PM Blackspear that as he's most likely forgotten he even made that post...:p
  5. I'll second that! :D;)

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.