What are these?

Discussion in 'other security issues & news' started by Blackspear, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have a new person sharing my home PC at the moment, I noticed in ZoneAlarm a file called: File Transfer Program had tried to access the internet, it is located in:

    C:\Windows\System32\ftp.exe
    29/08/2002

    When I went ot investigate I have found lots of other .exe files with the same date or 24/08/2002 and same file picture. This may be just a coincidence, however I don't remember seeing them there before...

    Help appreciated...

    Cheers :D
     

    Attached Files:

  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    C:\Windows\System32\ftp.exe
    29/08/2002

    could just be legit stuff..even a update if you have win2000 or XP..

    They breakdown like this..

    ACTMOVIE.EXE (DirectShow Setup Tool). Part of the the DirectX series of tools. Used for media capture and playback.


    ALG.EXE (Application Layer Gateway Service). Used to configure the different accessibility options of your system.

    APPEND.EXE (Append). Allows applications to open or access files in folders other than the current working, or active, folder by appending the path parameter. This utility is from MS-DOS 5.0.


    ARP.EXE (ARP). The Address Resolution Protocol command-line utility used to manage the ARP cache on TCP/IP systems.

    ASR_FMT.EXE (ASR). The Automated System Recovery utility.

    ASR_LDM.EXE (ASR). The Logical Disk Manager ASR utility.


    ASR_PFU.EXE (ASR). The Automated System Recovery Protected Files utility.

    AT.EXE (AT). Used to schedule tasks to occur at a specific time and date. It requires that the Scheduler service be running.






    Here's what I found on ZA help for question "what's passive mode anyway?"

    FTP

    If you are having difficulties with your FTP program, make sure that the FTP program is on your Programs List.

    FTP programs require local server rights. The configuration needs to have Passive or PASV mode enabled, which tells the client to use the same port for communication in both directions. Enable that option in your FTP program."


    But also the SDbot and Patch came later in 2005..
    The worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

    http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

    http://tech-recipes.com/modules.php?name=Forums&file=viewtopic&t=664&view=previous
     
  3. big ed

    big ed Registered Member

    Joined:
    Aug 12, 2003
    Posts:
    3,137
    Location:
    Ye Olde New England
    Good job Primster,

    Timely responses is what it's all about. Kinda like your daily 'Hoorah Brigade' security reports!!

    Bunkered down in Battle Creek, Battered ed
     
  4. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Should maybe PM Blackspear that as he's most likely forgotten he even made that post...:p
     
  5. I'll second that! :D;)

    GF
     
Loading...
Thread Status:
Not open for further replies.