Results 1 to 8 of 8

Thread: Microsoft using trojans?

  1. #1
    Senior Member SirSub's Avatar
    Join Date
    May 2003
    Groom Lake, Nevada

    Question Microsoft using trojans?

    I decided to do a netstat -n just to make sure things were ok, and to my surprise several connections established from running on port 6667 (Sub7). At that instant, I unplugged my cable from the wall, ran a trojan scan, nothing came up. So i checked again, connections still there, so i went to SamSpade.org and used their "Do stuff" Option for that IP. This Came up
    dns has no reverse DNS configured.

    whois -h magic
    Trying whois -h whois.arin.net

    OrgName: Microsoft Corp
    OrgID: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US

    NetRange: -
    NetHandle: NET-207-68-128-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.CP.MSFT.NET
    NameServer: DNS2.CP.MSFT.NET
    NameServer: DNS1.TK.MSFT.NET
    NameServer: DNS1.DC.MSFT.NET
    NameServer: DNS1.SJ.MSFT.NET
    RegDate: 1996-03-26
    Updated: 2003-01-15

    TechHandle: ZM39-ARIN
    TechName: Microsoft
    TechPhone: +1-425-936-4200
    TechEmail: noc@microsoft.com

    OrgAbuseHandle: ABUSE231-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@microsoft.com

    OrgNOCHandle: ZM23-ARIN
    OrgNOCName: Microsoft Corporation
    OrgNOCPhone: +1-425-882-8080
    OrgNOCEmail: noc@microsoft.com

    OrgTechHandle: MSFTP-ARIN
    OrgTechName: MSFT-POC
    OrgTechPhone: +1-425-882-8080
    OrgTechEmail: iprrms@microsoft.com

    # ARIN WHOIS database, last updated 2003-07-03 21:05
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    So then I checked my firewall logs and found this
    07/04/2003 01:26:00 Allowed TCP Outgoing 6667 1751 C:\Program Files\Internet Explorer\IEXPLORE.EXE 1 07/04/2003 01:24:56 07/04/2003 01:24:56 Ask all running apps

    My question is, what should I do now that it doesnt show up on my trojan scanner? Try another product? And, is this microsoft thats using it, or is someone just using one of their machines as a decoy (for lack of a better term).

    Thanks in advance for any help.

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002

    Did you do any anti-virus checks ... as I recall there are some virusses that leave some trojans behind or connect to ports like 6667.

    These ports like 6667 are mainly used for IRC (maybe you know but anyway) ...
    DId you connect to a site at that moment that has somesort of chat possibilities (java or something like it) they connect to that port as well.

    You have a firewall ... what if you block that port ...does it reconnect automaticly to another port without anything being open or running ... maybe it's the Deloder worm.

    ... Which OS do you use XP or W98 ?

    Keep us updated
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    Senior Member
    Join Date
    Feb 2002
    As Cemetric said it could be IRC, Microsoft Chat also works on that port I think, doubt you would be having a chat with someone from microsoft though. I wonder if it could be something to do with Microsoft auto update or something, not sure what port that uses or if it is dynamically assigned. I would say your best option would be to download FPort from Foundstone http://www.foundstone.com/knowledge/proddesc/fport.html . That will tell you what porocess is making the connection, which should give you a bit more of an idea if it is malicius or not.

    Give it a try

    hope this helps

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Nothing is new, those son of a gun always been prying on every bodys life. Sad. Dont you think it is time to slowly move towards to *nix.

  5. #5
    T3h Ch3F
    Join Date
    Sep 2001

    Perhaps to Basic an Idea

    I have had so many problems of the same sort with Microsoft update I can not even count them on 50 hands. As well so many auto updates of firewall proggies. and at times a regimen of not updating all utilities on a regular basis causes many of these reports.

    Just my advice from personal procrastination, always update utlities that are running in support of others. Many times patches from one source will affect another.


  6. #6
    Senior Member
    Join Date
    Jul 2003
    microsoft likes to have their progs send info about the user to them for some **** or whatever...if you got some weird connections, and its a big corp's prog, like m$, you should be fine

    And especially if you have a hardware firewall, as long as you dont have too many open ports, and you arent dealing with assassin, you dont have mu to worry about

  7. #7
    Junior Member
    Join Date
    May 2003
    well 6667 is one of the universal ports used for irc so M$ should not have used it and i think its a trojan or probably a "feature" of the M$ iexplore.exe!
    **** MICRO$OFT!
    **** GATES!

  8. #8
    Junior Member
    Join Date
    Jul 2003
    Uh, guys. I have IRC, and I have the same or similar ip address shown on my netstat -n. I wouldn't worry too much. My other computer, that doesn't have IRC, doesn't have one of those ip addresses. It's a IRC thing. Delete IRC, or don't use it anymore, simple as that. Port 6667 is an IRC port.
    I\'m Doc, fear me because..........well I don\'t know, but fear me anyway.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts