Security Incidents mailing list archives
Re: Port 1033-1037 Question
From: ParallaX Research <parallax () PARALLAXRESEARCH COM>
Date: Sun, 4 Feb 2001 16:34:43 -0800
According to http://home.tiscalinet.be/bchicken/trojans/trojanpo.htm 1033 is Netspy-TCP However this is important to note: "Note: some of the more advanced trojans let the hacker choose which port is being used. Here only the defaults are given." If it is netspy, removal instructions from http://split.netset.com/miscfix/netspy.shtml are as follows: Removal v2.0 First go to Start -> shutdown. Select 'Restart the computer in MS-DOS mode.' and click OK. When your computer is at the C:\windows\ prompt, type the following: cd system del netspy.exe Then type exit to return to windows. Next. click Start, and go to Run. In the box, type regedit and click OK. When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Click on 'Run' and the righthand panel will change. Look for an item titled: Netspy = "netspy.exe" and delete it (Right click and choose delete) on 02/02/2001 06:48 PM, Don Tansey at hyghlander () MINDSPRING COM wrote:
<Moderator: My aplologies if this is not appropriate to the list. Please do not post if this is the case> Does anyone knowof a trojan that tries to initiate a connection from port 1033-1037 on the infected machine to an outside POP3 mail server? My mail client is blocked from connecting to my ISP's mail server at port 80 from the source port range shown above. My firewall logs show nothing beyond the source port and the destination port. Thanks, Don Tansey --Beware the fury of a patient man.
-- ParallaX Research Group Information Security Clearinghouse http://www.parallaxresearch.com/ parallax () parallaxresearch com
Current thread:
- Port 1033-1037 Question Don Tansey (Feb 04)
- Re: Port 1033-1037 Question ParallaX Research (Feb 04)