May 24th, 2005, 04:28 PM
Infected or Paranoid? Sockets de Troie Trojan Horse Program
Trojan Horse: Sockets de Troie
Type: Remote Access Trojan
How you know: Check the properties and compare the actual file size to the file size on disk
I recently found what I believe to be the Sokets de Troie trojan horse v.1 on my system somehow attached to a file related to MS Office.
After a recent scan with TDS I found port 5000 to be connected with this trojan horse. Port 5000 is tradionally used for Universal Plug and Play. So naturally I disabled the service which killed to port (before investigating further) However this is the tricky part: The file cftmon.exe (which can be seen exactly where it is above) seems to be where the trojan was hiding. Cftmon.exe, which handles speech input on MS Office Suite and is a non-essential service had two different sizes in the properties window. The 'actual' size compared to the 'size on disk' leads me to believe that this was indeed the file that was infected. Nevertheless it has been deleted and another scan revealed nothing unusual as well port 5000 closed for good.
Sockets de Troie is an older trojan horse program (created in 1998) and I don't know how it could have got on my system. Is anyone out there familiar with this trojan? Has anyone experienced any exploits (or attempted therof) on there system with port 5000? Was there a cause for action here or is the Trojan Scanner TDS pulling my leg? One thing I did consider doing was downloading and installing this trojan horse on another computer and seeing if I could freely connect to the one that was infected thereby giving me no doubt that this was the case. I couldn't find the program though.
May 24th, 2005, 04:38 PM
Thereby "proving" port 5000 is used by UPnP..
Port 5000 is tradionally used for Universal Plug and Play. So naturally I disabled the service which killed to port (before investigating further
Yes, I know the trojan. It's dead...
Is anyone out there familiar with this trojan? Has anyone experienced any exploits (or attempted therof) on there system with port 5000?
Yes, there was an exploit for UPnP IIRC about a month after winxp came out. A recent virus scanned this port too (don't remember the name)...
Experience is something you don't get until just after you need it.
May 24th, 2005, 05:10 PM
tds uses an old commomly used ports list which was compiled befor there was a uPnP. if you had right-clicked on cftmon.exe and selected 'properties' then'version' you'd see 'company name microsoft corporation' i have never seen this info in a virus or trojan file. there are instances where ligitimite programs (with version info)are included in worm/virus download such as firedemon, psexec, radmin, etc but actual trojans in my experiance never have the version information. not that they can't have it but ive never seen it.
if i recall correctly TDS also gives/gave a false positive for the 'black-jack' trojan (1025) based on the same ports list. it use to anyway
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
May 24th, 2005, 05:27 PM