Trojan Horse: Sockets de Troie
Type: Remote Access Trojan
Port: 5000
Found: C:/Windows/System32/cftmon.exe
How you know: Check the properties and compare the actual file size to the file size on disk

I recently found what I believe to be the Sokets de Troie trojan horse v.1 on my system somehow attached to a file related to MS Office.

After a recent scan with TDS I found port 5000 to be connected with this trojan horse. Port 5000 is tradionally used for Universal Plug and Play. So naturally I disabled the service which killed to port (before investigating further) However this is the tricky part: The file cftmon.exe (which can be seen exactly where it is above) seems to be where the trojan was hiding. Cftmon.exe, which handles speech input on MS Office Suite and is a non-essential service had two different sizes in the properties window. The 'actual' size compared to the 'size on disk' leads me to believe that this was indeed the file that was infected. Nevertheless it has been deleted and another scan revealed nothing unusual as well port 5000 closed for good.

Sockets de Troie is an older trojan horse program (created in 1998) and I don't know how it could have got on my system. Is anyone out there familiar with this trojan? Has anyone experienced any exploits (or attempted therof) on there system with port 5000? Was there a cause for action here or is the Trojan Scanner TDS pulling my leg? One thing I did consider doing was downloading and installing this trojan horse on another computer and seeing if I could freely connect to the one that was infected thereby giving me no doubt that this was the case. I couldn't find the program though.