Trojans

Discussion in 'Port Explorer' started by alpha24, Dec 24, 2002.

Thread Status:
Not open for further replies.
  1. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi. I have just installed PE (trial) and am studying the Help, "Hidden Server Detection"pages. The fifth paragraph (re. screen image) identifies the Trojan as "NetBus"and the last paragraph says "Now that we've identified the Trojan --- " My question is- How did we identify it, apparently from the information on screen ?? Can someone tell me, please ? o_O
    With the Compliments of the Season Alpha.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi alpha24,

    A good way to find out about specific applications or ports that may be suspicious (as in the Port Explorer example) is from inside Port Explorer click Utilities>>Lookup and then type in the port number and Search. You get the following info:
    cron / crontab, RAT: Fat Bitch trojan, GabanBus, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill, Q-taz, Snape, Fade, Musdie, Vagr, Neoturk
    You may now do a web search (I use Google) to seach for the executable (patch.exe), the port (12345), or any of the names that Port Explorer gives you as using that port. I did a search for "patch.exe" and found the following page: http://www.hypertony.co.uk/security/netbus.htm.

    As you can see, it takes a little work to decide if you are infected or not (in this case less than five minutes), but it is well worth the effort.

    I hope this helps you at least a little bit...... :D

    Regards,
    Kent
     

    Attached Files:

  3. alpha24

    alpha24 Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    18
    Hi,Kent. Many thanks for your helpful response. I can't follow your advise because the trial version of PE doesn't have the Look-up facility but I expect I'll get the full version, if I can get my head round the trial better than I have so far !! Obviously, the Help should have mentioned the Look-up step etc. in the identification of the Trojan. I suppose the simplest thing to do is to kill all highlighted processes but I realise there has to be exeptions. I run Spyblocker and the spyblocker.exe file appears 4 times in the main PE Processes' list, all highlighted !! I have posted the Spyblocker Forum on the subject and await their reaction with interest !! Another thing. I subscribe to a number of Forums and sometimes get in a muddle with my replies, especially on a couple of them which I find difficult to navigate,where I often can't find a posting again when I go back to deal with a reply !! (I call it having one of my senior moments, as I'm not so young as I was - but who is !!) Did you post to me a few days ago on another Forum and if so, could you tell me which and under what heading,please ? If not, I'll just have to resume searching for a missing posting which, I think, was over the name Kent or something like it. ( Now, don't make fun of the afflicted !!! ) :'( Cheers. Alpha.
     
  4. Joosky

    Joosky Guest

    Hi again, Jooske here from another location.

    The styep-by-step processes. hm i think it is first to look at which processes they are, do you know them and which ports do they use.
    The "patch.exe" example on 12345 is a very clear one, of course.
    But these are the steps you do take:
    look which is highlighted, which port does it use, look with rightclick what it is, where it comes from, and to which process(es) it belongs.
    You ca start to block the sending and receiving of traffic on it, and all your wanted resolve/whois/spying on the packets or just kill the process/sockets if you don't trust them.

    Yes, a full version is what it takes to have all the options enabled. If you're planning so, do have a look at the ActionPack which is still available this moment too, just in case. I'm telling this because i have all three of the programs included and use them in addition, and now i'm on another location where they are not installed i feel strange :) --more or less empty handed on another person's computer so i love the things even more once i get back to my own system :cool:
     
Thread Status:
Not open for further replies.