Re: Why would explorer.exe be listening on port 1024

From: Ming Jin (martinkin@attbi.com)
Date: 03/27/03


From: "Ming Jin" <martinkin@attbi.com>
Date: Thu, 27 Mar 2003 02:01:51 GMT

Basically some windows process will setup a "internal loop" connection for
unknown reason
I have observed some cases with TDIMON, just like "heart beat".

I think since this connection is not come from outside, don't worry about
it.

"James" <god@heaven.com> wrote in message
news:b5ag3b$no3$1@hercules.btinternet.com...
> Hi,
> When I first boot up and the desktop is "settling down" I get a message
from
> Norton Internet Security telling me that it has blocked an intrusion
attempt
> that has the signature of the NetSpy trojan. It gives the following
details.
>
> Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024)
> Inbound TCP connection
> Local address,service is (0.0.0.0,1024)
> Remote address,service is (localhost,1036)
> Process name is "C:\WINDOWS\Explorer.EXE"
>
> When I look at the current connections, lo and behold, there is a process
> explorer.EXE connected locally on port 1024.
> I just installed Norton Internet Security 2003. Never used to get this
> message from 2002.
> I have scanned my whole system with Norton AV on this machine, the online
> version on the symantec website, Mcafee online from their website, and The
> Cleaner from Moosoft. No infection. Anywhere.
> But the question remains, why does explorer have a connection with port
> 1024, which is apparently known to be where NetSpy listens?
> I am running Windows XP Pro.
> Anyone who could shed some light on this would get lots of gratitude.
> Hope somebody knows about this...
> Thanks in advance,
>
> James Gardner.
>
>
>