DS trojan opens ports fport does not detect?

junk_at_zounds.net
Date: 12/12/03

  • Next message: Dano: "Re: Fw: services.exe file"
    Date: Thu, 11 Dec 2003 22:12:50 -0600 (CST)
    To: <incidents@securityfocus.com>
    
    

    Recently, when attempting to play Dungeon Siege with a friend, I installed
    a crack he found on the internet. (we each purchased the game)

    His machine began responding to port scans on tcp 25 and 110. I could
    telnet to these ports, and the response was to clear my screen, and on any
    keypress, to drop the connection. He said he could not telnet to port 25
    on his machine via localhost.

    After installing the crack on my machine, i found i could telnet to port
    25 and get the connection with no banner.

    Neither Norton anti virus nor adaware found anything. I erased the dll,
    and port 25 closed for a while, but it is open again (sigh).

    But using tools like netstat, fport, or tcpview did not show any activity
    on 25 or 110. Zone alarm isnt detecting is making outgoing connections.
    Isnt the point of a tool like fport to detect and find the application
    that opens ports? Is it common for these tools to be evaded?

    I will email the trojan if anyone that wants to analyze it. Contact me at

    marc at (nospam) zounds net

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Dano: "Re: Fw: services.exe file"

    Relevant Pages

    • Re: Correction
      ... Normally to physically disconnect is just a matter of reaching for the ... >> I have an ADSL connection which polls my computer from time to time, ... > disallow each and every port with Windows Firewall? ...
      (microsoft.public.windowsxp.messenger)
    • Re: Using Remote Desktop From an SBS Domain
      ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
      (microsoft.public.windows.server.sbs)
    • Re: Still cant connect to RWW or OWA remotely
      ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
      (microsoft.public.windows.server.sbs)
    • Re: Still cant connect to RWW or OWA remotely
      ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
      (microsoft.public.windows.server.sbs)
    • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
      ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
      (Incidents)