MSN Log Thief

Discussion in 'Port Explorer' started by zkab, Jan 14, 2004.

Thread Status:
Not open for further replies.
  1. zkab

    zkab Registered Member

    Jan 14, 2004
    I am new to PE and when reading the documentation I practiced some commands.
    Utility Lookup (Services to Port/search for: MSN) gave the following:

    --Port 1863--
    MSN Messenger - MSN Messenger Application

    --Port 16999--
    RAT: MSN Log Thief

    --Port 60101--
    RAT: MSN Log Thief

    I am concerned about the RAT lines. Does it means that my system has a RAT ?
    I made a check with PestPatrol that is supposed to dedect this RAT but nothing was found.
    How do I proceed ...
    Appreciate any help.
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    Hmm very interesting ! MSN log thief is a Spanish born (I think) stealer trojan.. or was it from Brasil..

    Anyway please post your results by clicking File > Save Table. At least show the part which shows what process is using those ports. For safety you might want to kill the process if you arent sure what it is, then email me a copy. Since I'm at home, use to send it but please CC it to as well :)

    And then after killing change your password. Dont reboot or it will run again, we can easily remove its startup if there is one with ASViewer. When you email me a log from it would also be a good idea
  3. grant

    grant Registered Member

    Jan 10, 2004
    Hi, I read your post and checked and I had exactly the same thing. I formatted(wiping all information off computer although I've found that wipedrive or other products like it are the only things that can get rid of a tough trojan. That is one that is hidden in memory, for example, as it runs after you reboot.) then checked again and it was gone although it showed those same ports would be used if messenger were activated. I then downloaded messenger, checked and the log thief was showing. Therefore this is a microsoft program. Best, Grant
  4. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    No need to reformat your system at all.
    First look what PE is showing.
    Is it local port, remote port, which application is connected to it on your system, is there traffic, look with the socket spy into those packets if there is traffic going on, you can disable all sending/receiving or kill the socket or process responsible for it, look into the application used, scan it extra with every tool you have, if the file is less then 1 MB you can even get a second online opinion at > click on top for the english site version, at the bottom use the online virus check.
    And in the meantime send a zipped copy to the address Gavin mentioned for deeper advice.
    Only if Gavin would say there is not any hope for your system and other destructive occurances are there, it would be time to go back to a former restore point or drive image.
    Hope this helps; in case of panic, first read the forum and or the helpfile.

    BTW: the PE Utilities > LookUp > Service to ports tells you what is possible, it is not telling you have that stuff on your system.
    You can look up any port, IP, country, domain; if you look for domain to country on you will get US.
  5. nameless

    nameless Registered Member

    Feb 23, 2003
    No one should be confused or worried about this, especially Gavin. Port-to-Service is just a reference; a simple table lookup. From the help file: "The Lookup utility is a simple database search engine that allows you to perform five (5) different search types".

    It searches a database (specifically, DAT files in the Port Explorer installation directory), not what is running on your system. That is, the "Port to Service" facility doesn't tell you what is running on your system; it merely tells you what processes use the port you entered--whether or not those processes exist on your system.

    For example, when I go to Utilities > Lookup > Port to Service and enter 23, I get this back:

    Does this mean I that have Telnet Protocol (RFC 854), WinGate, RAT: Fire HacKer, Tiny Telnet Server - TTS, Truva Atl, RTB666, TelnetPro 1.0, Swarm, Baron Night, AlphaDog, MMX, Net Coach, PEST, Manipulator Lite, and Mind Control all running on my system, on port 23? No! It just means that those processes exist, in general and are known to use port 23. It's the same with port 16999.
Thread Status:
Not open for further replies.