I'm wondering about msmsgs.exe. On my Port Explorer I have 8 sockets devoted to it. 3 are UDP and 5 are TCP. The ports are ranging from 1032 to 10082 for local and from 0 to 1863 remote. 2 of the UDP remote ports are marked with * and 3 are marked with 0. This is the same for the remote addresses on these three. One UDP socket shows localhost 127.0.0.1 for both local and remote address. 2 of the TCP sockets have *msmsgs.exe as the process name while the rest have only msmsgs.exe. The port reference for local 1032 says RAT : G.R.O.B. and this concerns me. I check my sockets daily and am obviously still learning what to make of the info in front of me. I sometimes have 3, 6, 8 and more sockets for msmsgs.exe. It's not always the same number. I have had several port references naming a variety of RATs and this info also changes. The ones that are ports known to be used by RATs always have no remote address to resolve or trace. I have TDS-3 and scan fairly frequently. I haven't detected anything via these scans to date. My first question is really to know how many sockets should messenger be using? Does this number change? Why are some of the remote addresses blank? and finally why are two of the process names prefixed with *, while the others are not? Whew! Thanks in advance to anyone who can educate the boy here. I stand eager to learn.
Hi Waya, MSN can use quite an amount of sockets, it varies depending on where you are connected, what you are doing, etc. It used around 4-6 on my system without even being connected. The sockets with the ASTERIX (*) on them means Port Explorer's DLL cannot map those processes so it lets windows do them. Don't worry though as 99.9% of the time those sockets don't receive or send any data (only the system ones do). MSN uses a wide range of ports, some of which trojans use, you shouldn't assume just because it is on a trojan port that it is a trojan. As long as you scan with an anti trojan and anti virus fairly regurarly and don't run any files unless you scan and trust them you should be fine. -Jason-
Hi, Also note that G.R.O.B is a very basic trojan and will show up RED in Port Explorer, like most other trojans
Thanks fellas! Been wondering about that messenger for the longest. I scan with tds and an av at least once a week, so I think all is well. Just got a bit suspicious of so many sockets. Keep up the good fight, I'm in yer corner trying to learn a bit of this. -waya-
