Tftp

[AcidReflex]

man, i wish i came to this site sooner.
I do have in windows/sys 32 an app file falled tftp, but no where in site a msblast.exe or any other file that was mentiones as aka's for the virus/worm Does the sys32 usually have a tftp file in it????
I ran the fix program to remove the virus, but didnt detect it, and did the windows update like instructed.

but what concernes me also is that I CANT go into regedit, I'm reading how to remove crap from regedit, and every time i open that window, it closes. What is going on someone, no one has brought that up yet, with all the virus discussion. I'm on XP by the way.
thanks

[Plastic]

as for TFTP, if you didn't put it there, then it's a pretty good sign somebody else did, or the worm did. Have you tried booting in safe-mode, then trying to run reg-edit?

[Tedob1]

windows now comes with a tftp client...its supposed to be there. the worm just uses it to download more things onto your computer.

[NullDevice]

pls change the location of tftp client (tftp.exe) to some place which is out of ur system emvironment PATH.....and remeber the location you placed tftp.exe so that in case you nedd to use it you can ....i hope u are not using remote booring. becoz if you are to boot remotely the tftp.exe has to placed in the proper place again....but for the time being i think it is a good measure to take under given circumstances

[Tedob1]

im using 2k so i just renamed it to .ex_ in both system32 and i386.

[cbo]

sounds like u might have a virus

http://us.mcafee.com/virusInfo/default.asp?id=lovsan

[Und3ertak3r]

Well Lovesan is MSBlaster.. Try this one.. It attacks Tftp

First McAfee : http://us.mcafee.com/virusInfo/defau...virus_k=100549
Then Symantec: http://securityresponse.symantec.com....randex.e.html

that right W32/Spybot.worm.lz & W32.Randex.E Same Virus.. Both using the same DCOM RPC Vuln..

Cheers

[Maestr0]

TFTP is trivial ftp or sometimes known as tiny ftp. It is a standard OS install file for NT based systems and does not mean you have a virus, its just a really convienent program for viruses and hackers to abuse. As some have suggested you can rename it although I would suggest you check to see if Windows File Protection restores the file when you're not looking (File protection can be removed via the registry if anyone wants the keys just ask), My personal strategy is to secure all my system binaries by removing all execute access rights from them except an explicit execute right to an admin account. 8 times out of 10 an exploit will be running under SYSTEM rights so removing any execute rights by SYSTEM to files such as tftp.exe cmd.exe command.com and many,many others (I can also provide a list of dangerous binaries to anyone interested.) is a good practice. Although disabling the WFP and removing the files is not neccessary, in the case of machines which are more likley to be attacked(aka Webserver) this can sometimes be the extra step to keep you from getting owned, however if a virus starts overwriting your system files dont come crying to me.


-Maestr0