Why Does a File of the Form TFTPxxx Try to Run at Startup?

A file of the form TFTPxxx (where xxx = numbers) attempts to run at system start and Windows does not know how to do that. Why does it happen?

The Windows Trivial File Transfer Program is a small file transfer client provided with Windows (this differs from the FTP commonly talked about and is not a substitute for it — see the references below). When run, that program sometimes leaves behind a file of the form TFTPxxx in whatever directory was default when the program runs. The files are harmless; they are just left over from the Trivial FTP program running. That explains where the file comes from. Now we need to backtrack a bit…

On 16 July 2003 Microsoft released a patch to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. Without the patch, computers were vulnerable to crackers or programs which could enter a vulnerable computer and run arbitrary code on that vulnerable computer. Unfortunately, most people either did not know about or ignored the patch. A description of the vulnerability and links to the patch are on the Microsoft site…

http://support.microsoft.com/?kbid=823980Web Link

About a month later, a modified form of the Blaster Worm was released which specifically targeted this vulnerability. While the worm did little damage to an infected computer it did run the Windows Trivial FTP client to send itself to other computers and, in the process since it used the Startup directory as the default, caused that program to drop TFTPxxx files into the Startup directory. The next time Windows started it encountered these files and did not know how to run them. Windows then asked users to specify a program or search the Internet. Many picked the second option and ended up at the FILExt site, leading eventually to this FAQ which is also posted on the FILExt site.

What should you do?

If you have not already, download and IMMEDIATELY install the Windows patch described above. This will stop further incoming attacks.

Once you have done that, you need to get rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Computer Knowledge makes no specific recommendation. A list of the major anti-virus software vendors can be found here as part of the CKnow Virus Tutorial.

You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of software firewalls that work just fine. CKnow takes no position on which firewall you should use. It’s your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.

Finally, the TFTPxxx files appear in the Startup Group in Windows. You should be able to see them by choosing Start | Program Files | Startup and they should therefore be in the folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ for Windows XP or the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for Windows Vista.

Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute). As indicated above, these files are not dangerous. They just clutter up the Startup directory and cause Windows to pause to ask you about them during Startup.

Then, keep your firewall and anti-virus software up to date at all times.

Install Windows security patches when released.

Added note: Other malware has started to appear and use the Trivial FTP program and, therefore, leave TFTPxxxx files on systems. Some of these files can contain signatures of the malware and can be tagged by anti-virus software as being infected. The solution is the same as the above: make certain you have all the latest Microsoft Critical Updates and delete the leftover files. The anti-virus software should remove the malware itself or their Website should have a program that will do the removal.

More Information