What is a sxe*.tmp File

  • Thread starter Thread starter Thomas
  • Start date Start date
T

Thomas

Within the last couple of weeks, the wormblast virus
infected my computer. At the same time, a message pops
up during startup stating that my computer cannnot open
the sxe*.tmp file (sxe1, sxe2, sxe3.......etc). I also
found this file in a windows prefetch folder: sxe2.tmp-
1R8B65A2.pf. Are these file and folders supposed to be
in my computer. If not, how do I delete them. I
appreciate any advice you can give me.
Thanks
Thomas
 
On Mon, 18 Aug 2003 19:16:30 -0700, Thomas wrote
Within the last couple of weeks, the wormblast virus
infected my computer. At the same time, a message pops
up during startup stating that my computer cannnot open
the sxe*.tmp file (sxe1, sxe2, sxe3.......etc). I also
found this file in a windows prefetch folder: sxe2.tmp-
1R8B65A2.pf. Are these file and folders supposed to be
in my computer. If not, how do I delete them. I
appreciate any advice you can give me.
Click to expand...

The presence of sxe1.tmp, sxe2.tmp, sxe3.tmp, sxe*.tmp, files are often an
indication of a backdoor IRC Trojan. These Trojan Horse programs can allow a
remote attacker complete control of a victim PC.

It is also possible these files are innocent. To determine whether or not
there is a problem, I would scan *all* files with an up to date virus
scanner set to look for "potentially unwanted programs" (may vary by AV
software.)

As you can see by the following descriptions, the file names of the Trojan
components change often. That's why a virus scanner is necessary. It is
generally not possible to determine maliciousness from a file name alone.
http://www.kn.vutbr.cz/docs/conf/hack/hack.html
http://www.usask.ca/security/comsecalertsold2.html

For the Trojan components, the file names are deliberately obfuscated to
appear to be legitimate Windows files such as ms32dll.exe or rudl32.exe or
rund1132.exe (as in "r-u-n-d one-one 32" instead of "r-u-n-d L-L 32.") These
Trojans are also often installed as innocent appearing services such as
SVHOST or MSVC5 or RMTMGMT services.

In addition, these Trojans kits are installed by packaging legitimate
programs such as Firedaemon, Serv-U FTP, or mIRC. Since these are legitimate
programs (what makes them bad is they have been installed without the end
users' permission via a vulnerability in Windows) the programs may not be
detected by all Antivirus software. An example of a recent package of this
type of Trojan, and how to apply settings to the Antivirus scanner to detect
these types of Trojans, is here
http://vil.nai.com/vil/content/v_100427.htm

Matt Scarborough 2003-08-19
 
Back
Top