Strange Going-ons

Discussion in 'Port Explorer' started by boba, Feb 18, 2003.

Thread Status:
Not open for further replies.
  1. boba

    boba Guest

    I have had two problems with Outlook 98 and suspect a trojan of some sort. Port Explorer identifies some open ports as used by various RATs - and I started thinking that's the source of my problems. After a lot of F.U.D. (fear, uncertainty, and doubt), I have some questions:
    1: Can an open port indicate be used by a trojan and also be used by a legimate process? Ex: *system is using TCP port 1027 on remote address 0.0.0.0 which is also used by RAT: Latinus (according to PE). I'm assuming this is a legimate use, though - right?
    2: The Outlook problems are:
    a: Every now and then, my account connections get reset (the POP3 server is assigned as 'local host' and the account login name now appears as "myuserid/pop3.myisp.net" instead of merely "myuserid".
    b: The icons next to each email message in a folder all have a magenta background. This happens randomly, but once it is there - it doesn't go away without a reboot.
    Where are these coming from? I've searched the net and haven't found anything - yet.
    Thanks for anyone's help.
    Bob
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    HI Bob,
    I can only give my two cents to one of your points:

    I have seen a couple of virus scanners do that: they set up a proxy on "localhost" and have your mail program ask that proxy for mail. So the connection goes from mail program to localhost. but then the proxy has to know not only your username but also the *actual* mailserver, that's why your userid gets formatted as "myuserid/pop3.myisp.net". The virus scanner then parses that value and queries pop3.myisp.net with userid myuserid. It scans the mails that it receives and forwards them to your mail program where you finally can see them.

    Is there anything going on that involves a virus scanner? Setup or re-configuration? Updates?

    HTH,
    Andreas
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes Port Explorer tells you what a port can be used for, it doesn't mean all the time the port is used for that. So if you see RAT on one of the port lookups don't assume the socket which uses that port is a trojan right away. A trojan isn't going to be a "*System" socket either, it will show you the name of the exe.
    99% of trojans will show up as HIDDEN in Port Explorer, so if you see a hidden socket and don't know what it is, thats when you need to worry about it possibly being a trojan :) .

    -Jason-
     
  4. BobA

    BobA Guest

    Jason:
    Thanks for the assurance - I suspected that was true but feel much more at ease now.
    Andreas:
    Yes, I have PC-Cillin virus scanner and it does use a proxy. I am running ZoneAlarm Pro. Recently, I got DSL and now have an SMC hub that is also another firewall (sound paranoid, don't I - I'm not really that bad). This behavior has been noticed since adding the SMC hub .. I had been running PC-Cillin and ZoneAlarm a lot longer without this issue. I can deal with the annoyance as long as I can be assured we not dealing with a trojan of some sort.
    Thanks for the help.
    Bob
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.