Unity help! CSA and TFTP.exe

jgentsch · ‎10-07-2004

Before I go to TAC, I wanted to see if I could get an answer here. I have a Unity box where CSA and event viewer are constantly having errors regarding tftp.exe and svchost.exe. I can give more detailed errors later; I am rebooting the server currently. I believe these to be viruses but I wanted to see if anyone else has encountered this?

Hin Lee · ‎10-12-2004

I got this off a google search but I have not confirmed the facts:

W32/Nachi-A uses two files, dllhost.exe (10,240 bytes) and svchost.exe

(19,728 bytes). Dllhost.exe is the main worm component and svchost.exe is a

standard TFTP (Trivial File Transfer Protocol) server that is only used by

the worm to transfer itself from a source to a target machine.

When the worm is run, it copies itself into the \Wins folder

as dllhost.exe and uses the Windows Service Control Manager to create new

Windows Services. The services RpcPatch and RpcTftpd are created.

RpcPatch, with the description "Network Connections Sharing", runs the copy

of the worm and RpcTftpd, with the description "WINS Client", runs the

accompanying TFTP server.

The worm then scans the network for computers on which to execute exploits.

An ICMP Ping packet is sent first to check if a host is online. The Ping

packet is followed by a WebDAV search request or an RPC DCOM exploit. If the

exploit is sucessful W32/Nachi-A uses tftp.exe to copy the worm files from

the source system.

Once the system is infected, W32/Nachi-A attempts to download and run

security patches from the Microsoft's update websites. Depending on the

operating system language W32/Nachi-A chooses the download URL from the

following list:

http://groups.google.com/groups?hl=en&lr=&threadm=L0Cdneo7-62mJhiiU-KYgA%40comcast.com&rnum=1&prev=/groups%3Fq%3Dtftp.exe%2Bsvchost.exe%26hl%3Den