Results 1 to 4 of 4

Thread: Infected or Paranoid? Sockets de Troie Trojan Horse Program

  1. #1

    Infected or Paranoid? Sockets de Troie Trojan Horse Program

    Trojan Horse: Sockets de Troie
    Type: Remote Access Trojan
    Port: 5000
    Found: C:/Windows/System32/cftmon.exe
    How you know: Check the properties and compare the actual file size to the file size on disk

    I recently found what I believe to be the Sokets de Troie trojan horse v.1 on my system somehow attached to a file related to MS Office.

    After a recent scan with TDS I found port 5000 to be connected with this trojan horse. Port 5000 is tradionally used for Universal Plug and Play. So naturally I disabled the service which killed to port (before investigating further) However this is the tricky part: The file cftmon.exe (which can be seen exactly where it is above) seems to be where the trojan was hiding. Cftmon.exe, which handles speech input on MS Office Suite and is a non-essential service had two different sizes in the properties window. The 'actual' size compared to the 'size on disk' leads me to believe that this was indeed the file that was infected. Nevertheless it has been deleted and another scan revealed nothing unusual as well port 5000 closed for good.

    Sockets de Troie is an older trojan horse program (created in 1998) and I don't know how it could have got on my system. Is anyone out there familiar with this trojan? Has anyone experienced any exploits (or attempted therof) on there system with port 5000? Was there a cause for action here or is the Trojan Scanner TDS pulling my leg? One thing I did consider doing was downloading and installing this trojan horse on another computer and seeing if I could freely connect to the one that was infected thereby giving me no doubt that this was the case. I couldn't find the program though.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Ehhm paranoid....

    Port 5000 is tradionally used for Universal Plug and Play. So naturally I disabled the service which killed to port (before investigating further
    Thereby "proving" port 5000 is used by UPnP..
    Is anyone out there familiar with this trojan? Has anyone experienced any exploits (or attempted therof) on there system with port 5000?
    Yes, I know the trojan. It's dead...

    Yes, there was an exploit for UPnP IIRC about a month after winxp came out. A recent virus scanned this port too (don't remember the name)...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    tds uses an old commomly used ports list which was compiled befor there was a uPnP. if you had right-clicked on cftmon.exe and selected 'properties' then'version' you'd see 'company name microsoft corporation' i have never seen this info in a virus or trojan file. there are instances where ligitimite programs (with version info)are included in worm/virus download such as firedemon, psexec, radmin, etc but actual trojans in my experiance never have the version information. not that they can't have it but ive never seen it.

    if i recall correctly TDS also gives/gave a false positive for the 'black-jack' trojan (1025) based on the same ports list. it use to anyway
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Interesting.. thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •