DS trojan opens ports fport does not detect?

junk_at_zounds.net
Date: 12/12/03

  • Next message: Dano: "Re: Fw: services.exe file"
    Date: Thu, 11 Dec 2003 22:12:50 -0600 (CST)
    To: <incidents@securityfocus.com>
    
    

    Recently, when attempting to play Dungeon Siege with a friend, I installed
    a crack he found on the internet. (we each purchased the game)

    His machine began responding to port scans on tcp 25 and 110. I could
    telnet to these ports, and the response was to clear my screen, and on any
    keypress, to drop the connection. He said he could not telnet to port 25
    on his machine via localhost.

    After installing the crack on my machine, i found i could telnet to port
    25 and get the connection with no banner.

    Neither Norton anti virus nor adaware found anything. I erased the dll,
    and port 25 closed for a while, but it is open again (sigh).

    But using tools like netstat, fport, or tcpview did not show any activity
    on 25 or 110. Zone alarm isnt detecting is making outgoing connections.
    Isnt the point of a tool like fport to detect and find the application
    that opens ports? Is it common for these tools to be evaded?

    I will email the trojan if anyone that wants to analyze it. Contact me at

    marc at (nospam) zounds net

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Dano: "Re: Fw: services.exe file"