RE: Amlafvc.exe?Nov 16 2004 01:23PM Robert J. Wright (bwrig zdgt com)
Hi Jim,
I haven't heard of this file before, but that doesn't mean its legit... In
this case I would obtain something towards the effect of the program "Open
Ports" to see if its accepting outside connections... I would also use my
firewall and capture the traffic to and from that box, (you can also use
tcpdump)... The reason im focusing my thoughts towards the network, is that
it sounds like its probably a bot or worm of some sort and would be easily
detected via one of the above methods.
Robert J. Wright
Network Administrator
Zollinger, D'Atri, Gruber, Thomas & Co.
-----Original Message-----
From: Jim McBurnett [mailto:jim (at) tgasolutions (dot) com [email concealed]]
Sent: Monday, November 15, 2004 8:49 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Amlafvc.exe?
Ok, I have a machine that has this program running under any user that
logs into the machine.
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
And all web searches prove useless.
I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
It is listed in the registry as Microsoft Update machine.
BUT there is nothing on the Microsoft website about it.
And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.
It sounds like it may be a Microsoft component, but I just do not know..
It is not on 3 other Windows XP machines in the office..
The system is running SP1
IDEAS?
Thanks,
Jim
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
I haven't heard of this file before, but that doesn't mean its legit... In
this case I would obtain something towards the effect of the program "Open
Ports" to see if its accepting outside connections... I would also use my
firewall and capture the traffic to and from that box, (you can also use
tcpdump)... The reason im focusing my thoughts towards the network, is that
it sounds like its probably a bot or worm of some sort and would be easily
detected via one of the above methods.
Robert J. Wright
Network Administrator
Zollinger, D'Atri, Gruber, Thomas & Co.
-----Original Message-----
From: Jim McBurnett [mailto:jim (at) tgasolutions (dot) com [email concealed]]
Sent: Monday, November 15, 2004 8:49 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Amlafvc.exe?
Ok, I have a machine that has this program running under any user that
logs into the machine.
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
And all web searches prove useless.
I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
It is listed in the registry as Microsoft Update machine.
BUT there is nothing on the Microsoft website about it.
And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.
It sounds like it may be a Microsoft component, but I just do not know..
It is not on 3 other Windows XP machines in the office..
The system is running SP1
IDEAS?
Thanks,
Jim
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]