TFTP2160

An Avast scan found the virus: C:\windows\system32\TFTP2160 win32:lovesan-D (Wrm). A search on this forum found nothing and Google did not come up with anything useful.

As recommended in your Sticky I submitted it to Jotti. 7 programs found something and 14 found nothing.

I also found a post in this forum by David R which recommended Virus Total. I submitted the file there and 18 programs found something whilst 23 found nothing.

What is the best way to interpret results like this?

Blaster Worm

Also Known as: W32.Blaster.Worm Msblast.A W32/Msblast.D Worm.Win32.Lovesan W32.Blaster.D.Worm Lovsan worm Lovsan.D

http://www.spywareguide.com/product_show.php?id=586

Easy really, the detection is good as with this many detections it limits the possibility of it being a false positive. If only one, two or even three detected something it could be an FP, but not so with larger numbers.

You didn’t give the full path and file name as this C:\windows\system32\TFTP2160 is a folder unless a file without a file type.

When you get no hits on a google search for the file name, then when that is for a file within the system32 folder (or sub-folder), then that in itself is suspicious in my opinion.

So you should allow avast to send it to the chest, if you haven’t done so already. There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Sorry, I should have mentioned that there was no extension. TFTP2160 is the file name. And, yes, I sent it to the Chest as soon as it was detected.

OK

You might also want to run these tools to see if it didn’t have any friends that placed it there.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

I run Malwarebytes and SuperAntispyware, and also Spybot, once a week or so - in fact I sometimes feel that I spend half my life protecting the damned PC!

The file itself is only 1 kB and Properties gives no clue. I guess I’d better just leave it in the Chest and see if some program ever complains that it’s missing. One of life’s little mysteries, I suppose.

Could just be remnants if nothing else found, I hate mysteries too.

Hi Berzelius,

I hope DavidR is right and these are remnants of an infection,
and not signs of a Win32 Spybot infection.
TFTP [port 69] = Trivial File Transfer Protocol used for uploading and
downloading files to and from TFTP host servers, which do not restrict
access. Block only for outbound (outgoing)

This is evidence of what is called an “autorouter” trojan. It probably
came in through your RPC ports. This attack has already been seen
against the vulnerability described in MS03-026.

You need to run your anti-virus and anti-spyware programs (MBAM & SAS) to identify
this trojan and begin to remove it. But disconnect from the Internet
immediately to prevent the hacker from accessing your machine from the
Internet and possibly installing other trojans and malware. Once they
are in and your machine “phones home”, the game is up, so move quickly.

Worst case, you have to do a clean reinstall to rid all vestiges of
programs that compromise your system security,

polonus