Re: Port 1033-1037 Question

[ParallaX Research <parallax () PARALLAXRESEARCH COM>]

According to http://home.tiscalinet.be/bchicken/trojans/trojanpo.htm
1033 is Netspy-TCP

However this is important to note:
"Note: some of the more advanced trojans let the hacker choose which port is
being used. Here only the defaults are given."

If it is netspy, removal instructions from
http://split.netset.com/miscfix/netspy.shtml are as follows:

Removal v2.0
First go to Start -> shutdown. Select 'Restart the computer in MS-DOS mode.'
and click OK.
When your computer is at the C:\windows\ prompt, type the following:
cd system
del netspy.exe

Then type exit to return to windows.

Next. click Start, and go to Run. In the box, type regedit and click OK.
When regedit starts, you will see a file-like tree on the left hand panel.
Open the folders to follow the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Click on 'Run' and the righthand panel will change. Look for an item titled:
Netspy = "netspy.exe" and delete it (Right click and choose delete)


on 02/02/2001 06:48 PM, Don Tansey at hyghlander () MINDSPRING COM wrote:
> <Moderator: My aplologies if this is not appropriate to
> the list. Please do not post if
> this is the case>
>
> Does anyone knowof a trojan that tries to initiate a
> connection from port 1033-1037 on the infected
> machine to an outside POP3 mail server?
>
> My mail client is blocked from connecting
> to my ISP's mail server at port 80 from the
> source port range shown above.
>
> My firewall logs show nothing beyond the source
> port and the destination port.
>
> Thanks,
>
> Don Tansey
>
>
> --Beware the fury of a patient man.

--
ParallaX Research Group
Information Security Clearinghouse
http://www.parallaxresearch.com/
parallax () parallaxresearch com