Security Incidents mailing list archives

RE: Anyone seen tgcmd.exe before?

From: "James C. Slora, Jr." <james.slora () phra com>
Date: Wed, 3 Dec 2003 12:21:07 -0500

Harry Chemin wrote Tuesday, December 02, 2003 9:05 PM

I found a program on a client's laptop running Windows XP 
with latest service pack and all hot fixes applied.  The 
client reported that someone was remotely controlling his 
desktop while he was on his home network.  The client had 
Zone Alarm, Symantec Anti-virus software, and was using a 
Linksys firewall.  I checked several websites for information 
on tgcmd.exe and possibilities for the source of this 
software appear to be either for Sony Vaio laptops or @Home 
support software.  Unfortunately, the user's laptop is an IBM 
Thinkpad and the client had no recollection of installing the 
Support.com software.  Here is the output from fport:


It is Support.com remote control software installed as part of the @Home or Comcast support suite. Comcast uses 
(used?)it for remote help. @Home also used it. I have not had a reason to research the software's vulnerabilities, its 
mechanics, or its potential for abuse - but it is normal for an @Home client to have the tgcmd.exe listening on TCP 
port 641.

Pid   Process            Port  Proto Path                          
984                  ->  3001  TCP                                 
376                  ->  5000  TCP                                 
4     System         ->  1056  TCP                                 
4     System         ->  139   TCP                                 
0     System         ->  3119  TCP                                 
0     System         ->  3121  TCP                                 
4     System         ->  445   TCP                                 
2936  ccApp          ->  3099  TCP   C:\Program Files\Common 
Files\Symantec Shared\ccApp.exe
2936  ccApp          ->  3104  TCP   C:\Program Files\Common 
Files\Symantec Shared\ccApp.exe
3900  msmsgs         ->  9519  TCP   C:\Program 
Files\Messenger\msmsgs.exe
1144  ccPxySvc       ->  1044  TCP   C:\Program Files\Norton 
Internet Security Professional\ccPxySvc.exe
4040  tgcmd          ->  641   TCP   C:\Program 
Files\Support.com\bin\tgcmd.exe

<<winmail.dat>>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Anyone seen tgcmd.exe before? Harry Chemin (Dec 03)
- Re: Anyone seen tgcmd.exe before? Matthew Leeds (Dec 03)
- <Possible follow-ups>
- RE: Anyone seen tgcmd.exe before? Schmehl, Paul L (Dec 03)
  - Message not available
    - RE: Anyone seen tgcmd.exe before? David Moisan (Dec 03)
- RE: Anyone seen tgcmd.exe before? James C. Slora, Jr. (Dec 03)
- Re: Anyone seen tgcmd.exe before? Angus (Dec 03)