Microsoft Executable in Transit Detection

critical Nessus Network Monitor Plugin ID 5701

Synopsis

The remote host may be compromised

Description

This service appears to send a Microsoft Windows executable when a connection to it is established. This may be evidence of some malware which are known to propagate in this manner. There is not a file name associated with this executable. That is, the client created a TCP/IP connection to the host, at which time the host sent an executable back to the client. The NNM has determined that this is an Microsoft executable based upon the format of the binary.

Solution

Check the host and disinfect / reinstall it if necessary.

Plugin Details

Severity: Critical

ID: 5701

Family: Backdoors

Published: 11/9/2010

Updated: 1/16/2019