How do I detect Trojan?

How thorough is trojan detection by port scanning?

--------------------------------------------------------------------------------

Nearly all remote access trojans use TCP or UDP sockets, and in many cases trojans have a default port that they listen to. Some trojans have a port that is fixed and cannot easily be changed.

This is the best method to determine if your system has been compromised, but it requires that you:

A. have a basic understanding of the state of an "active connection" and

B. that you're familiar with the port numbers commonly used by the trojans.

With regards to the state of an "active connection". There are several types, but there's really only one type that you need to know about.

The "listening" state - which is when your PC listens on a port number, awaiting for another PC to make a connection to it. The "listening state" is the state that the trojan will be in after your system is rebooted.

NOTE: Some trojans may use more than one port number. This is because one port is used for "listening" and the other/s are used for the transfer of data.

In their default configurations, the following trojans use:

Back Orifice - UDP port 31337 or 31338
Deep Throat - UDP port 2140 and 3150
NetBus - TCP port 12345 and 12346
Whack-a-mole - TCP port 12361 and 12362
NetBus 2 Pro - TCP port 20034
GirlFriend - TCP port 21544
Sockets de Troie - TCP port 5000, 5001 or 50505
Masters Paradise - TCP port 3129, 40421, 40422, 40423 and 40426

Devil - port 65000
Evil FTP - port 23456
GateCrasher - port 6969
Hackers Paradise - port 456
ICKiller - port 7789
ICQTrojan - port 4590
Phineas Phucker - port 2801
Remote Grab - port 7000
Remote Windows Shutdown - port 53001

How to detect

If after following the directions outlined further down below, you've determined that your PC is "listening" on any of the above ports. It's a very strong indicator that your PC has been compromised. Click the appropriate link to learn how to remove the trojan involved.

How to determine what ports are "listening"
Perform the following steps:

Step 1. - Reboot your PC. Do NOT establish a dial-up connection.

Click Start | Shut Down
Click Restart
Click OK

Step 2. - After you reboot your PC and before doing anything else, open a DOS window.

Click Start | Programs | MS-DOS Prompt

NOTE: If you don't have a shortcut to the MS-DOS Prompt, don't worry. You can

Click Start | Run
Type command
Click OK

Step 3. - Type "netstat -an >>c:\netstat.txt" (without the quotes)

Type netstat -an >>c:\netstat.txt
Press ENTER

Step 4. - Close the DOS window.

Type exit
Press ENTER

Step 5. - Open Explorer

Click Start | Programs | Windows Explorer

Step 6. - Change to the C drive and double click on the netstat.txt file. It should open with NOTEPAD.

Click (C
Double-click netstat.txt

Step 7.
Look under the "Local Address" column and examine the port numbers for any connection found to be in a "listening" state.

For reference, the port numbers are shown as ":XXXXX" to the right of the IP address, where "XXXXX" is a 1 to 5 digit number.

Provided below are some examples of what you may might find:


The above example is typical of a home user's PC. The system (after a reboot) doesn't show any active connections. If your system looks like this, then congratulations! You have nothing to worry about.



The above example is typical of a PC on a LAN. The system (after a reboot) shows several connections in a listening state, used by NetBIOS. As mentioned above, the ports used by NETBIOS are ports 137 (nbname), 138 (nbdata) and 139 (nbsession).

Again, if your system isn't showing any active connections other than the ones related to using NetBIOS, then congratulations! You have nothing to worry about.



The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion, and whereby it's been configured to use the port 31337 (the default).



The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion, and whereby it's been configured to use port 31337 (the default).



The above example is typical of a home user's PC that's been compromised with the Back Orifice server portion that's been configured to use port 4000 instead of the default 31337.



The above example is typical of a PC on a LAN that's been compromised with the Back Orifice server portion that's been configured to use port 4000 instead of the default 31337.

If your system shows any ports in a listening state that you cannot identify or explain. It might be wise to further investigate the possiblity that your system may be compromised with one of these trojans using a different port other than the default/s.

NOTES:

Some ports that may be found in a listening state include:

FTP, which uses TCP port 21
Telnet, which uses TCP port 23
Gopher, which uses TCP port 70
HTTP (a webserver), which uses TCP port 80

If you do find your system "listening" on any of these ports. You should know whether it should or shouldn't be. If it shouldn't be, then it's wise to further investigate the possiblity that your system may be compromised with one of the trojans using a different port other than the default/s.