Invision

[MikeMannZ]

Ok, What is this damm thing and how did it get in, and more importantly could it get out past ZAP?

I haven't been able to find out a whole lot about it, in a malicious sense, other than it's bad news and can basically log your every step. If it wasn't for invisions local port scan I would have never seen it. It picked it up on 1050. I followed another thread here and did a port scan at sygate (i believe), and it said everything was cool, but I still did a system restore to get rid of it. Could someone please elaborate on this subject and answer some of my questions.

Thanks in Advance
MikeMannZ

Current Ports in Use
123 :: Net Controller
135 :: Normally MS Netbios but could be Chode
137 :: Normally MS Netbios-NS but could be (UDP) - Msinit
138 :: Normally MS Netbios-DGM but could be Chode
139 :: Normally MS Netbios-SSN but could be Chode - God Message worm - Msinit - Netlog - Network - Qaz
1025 :: Remote Storm
1050 :: MiniCommand
6060 :: Invision 2.0 Default DCC Server Port

[Riamus]

If you are running COBRA Management Agent, that's what is using this port. Or, if you have reverse DCC set to use port 1050, then that is what's using it.

If neither of those is true, you probably do have a trojan. Use a decent virus scan program to search for that trojan.

You can also use various utilities to see what programs are loaded on startup so you can find any trojans that might load automatically in that manner.

Also, scan your computer for these files that are associated with that trojan:
MiniCommandtest.zip - Minicommand.zip - 263,809 bytes Minicommand1.0.zip - Minicommand1.1.zip - Mini1_2.zip - 356,125 bytes Minicommand1.3a.zip - Server.exe - 122,368 bytes Server.exe - 51,782 bytes Client.exe - 151,040 bytes Client.exe - 168,448 bytes Editsrv.exe - 176,128 bytes

[p3tr0ck]

wow...all those ports showed up as in use...when my invision runs it only shows my dcc server port as in use... interesting...

[Riamus]

He is most likely running Windows XP (or perhaps 2000 or another NT version) and you are probably running Win98, WinME, or Win95.

NT uses various ports that 9x systems do not.

[MikeMannZ]

Thanks for the response Riamus! I'm not using COBRA, and I'm not quite sure about the reverse dcc. I do have my dcc ports configured to match my router, but 1050 is not in the range.

I am running windows xp with a linksys router, Norton Antivirus 2004, and Zone Alarm Pro. My virus Definitions are always up to date, and nothing has server right except invision (for an fserve), and bulletproof (ftp server, that's never left on).

I'd really like to know what happened and how minicommand got on my system. I jumped the gun last night and did a power quest image restore, and bamm....minicommand gone. Could you tell me from the list of local ports is there anything else in that list to worry about? What about remote storm? Also, if minicommand was on my system, wouldn't zap (firewall) have caught it trying to access the net?

Thanks Again
MikeMannZ

[Riamus]

Just because you have an open port would not necessarily trigger a firewall response. Also, it could be that port was being used by a program you have given total internet access to in your firewall. It could have been attached to something like mIRC or Internet Explorer, so wouldn't trigger the firewall if those programs have complete access.

As for remote storm... I had that myself coming up until I reinstalled XP. I ran many different trojan/virus/spyware scanners and never found any problems. I believe it is part of a program that I had installed. Considering I used to have Norton Antivirus installed and then deleted it (tho it still ran from some DLL that I couldn't remove) and the fact that you also have Norton, it *may* be Norton that uses that port. That's a complete guess, but I know I didn't have a trojan... you probably don't either.

As for all the others, those are XP ports. Nothing to worry about.