"Unusual TFTP files"

In article 826955 concerning the Blaster worm, Microsoft recommends looking
for "unusual *TFTP files" but then never explains which TFTP files ARE
unusual. What TFTP are normally found on an XP computer?
Thank you.

From: "Tref" <>

| In article 826955 concerning the Blaster worm, Microsoft recommends looking
| for "unusual *TFTP files" but then never explains which TFTP files ARE
| unusual. What TFTP are normally found on an XP computer?
| Thank you.

On WinXP or Win2K on TFTP.EXE.

http://vil.nai.com/vil/content/v_100547.htm
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly
revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown

So if you find files like; TFTP2453, TFTP1257, TFTP6743, etc.

The Lovsan/Blaster is NOT the only infector that will create this type of file. If the are
found, the system *must* be scanned by anti virus software and not just the tools Microsoft
provides becuase they are insufficient and not Broadspectrum enough.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thank you


"David H. Lipman" wrote:

> On WinXP or Win2K on TFTP.EXE.
>
> http://vil.nai.com/vil/content/v_100547.htm
> - Presence of unusual TFTP* files
> - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
> - Error messages about the RPC service failing (causes system to reboot)
> - The worm randomly opens 20 sequential TCP ports for listening. This is a constantly
> revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
>
> So if you find files like; TFTP2453, TFTP1257, TFTP6743, etc.
>