I'm working with a friend that has been infected with Sokets de Trois v1. It's sitting on ports 5000 and 5001 according to the scan she has done online via symantec.com
This is all being done long distance and I can't get to the computer. I'm trying to locate information on the trojan but all web searches are coming up empty. Does anyone have any experience with this particular trojan?
Any help would be appreaciated, thanks!
The operating system is Windows 98


------------------
Now...if I could only defrag my brain...

There is a program called The Cleaner available here: http://www.moosoft.com/index.php which detects and removes trojans including 8 versions of Soket de Trois

------------------
"640 K ought to be enough for anybody."
--Bill Gates, 1981

Amateur Radio Callsign KB3FHH

<font face="Verdana, Arial, Helvetica, Verdana, Geneva, Arial" size="2">Originally posted by furlong47:
There is a program called The Cleaner available here: http://www.moosoft.com/index.php which detects and removes trojans including 8 versions of Soket de Trois

</font>


Thanks Furlong, she ran the cleaner and it came up clean as well as a couple of other programs Tauscan, etc. Norton detected soket de trois and after that it became very evident the system was hacked. Mouse was moving about on it's own, volume jacking up and down, windows opening, etc. When she would go to an internet site regarding security her browser would redirect her to a different page so she couldn't read the articles.
I still can't find any details about this trojan, I'm thinking "he" (being the hacker) has altered enough files to skip detection. He also took down her Nuke Nabber and icq. Driving me crazy becouse I can't crawl through her registry personally to see what's there and I can't find any articles about the trojan.
I really appreciate your help so far though, thanks!



------------------
Now...if I could only defrag my brain...

have her open msconfig...check the startup listing for anything wierd running on boot, for example " .exe" or something...if there is uncheck it...reboot the system...then you need to delete the server part of the trojan To do this, browse your Windows/System directory and list files by size. Scroll until you find files that are 122k to 124k in size look for a file of the oddity, " .exe" or similiar and delete it.
you can try downloading BODetect which is usually pretty good at getting rid of trojans but there are so many theres no guarantees I guess.
personally, I'd dump nuke nabber since all it does is open a bunch of ports and "listens"...pretty much makes you look like a big server on the net...have your friend download ZoneAlarm 2.1, its free from Zone Labs for home use and is very easy to setup...plus it will give you the ip address of the "hacker" for lack of a better term, plus his/her isp information which can be used against them nowadays, at least you'll have somebody to report them too...of course you'd have to install zonealarm before you got rid of the trojan. anyway, hope something here is helpful

http://www.commodon.com/threat/threat-st.htm

Here's some info I found, including the registry entries it makes and the name of the server portion.

Seems as though searching for the spelling "Socket de Troie" in Google brings up a lot of results...unfortunately most of them are in French

------------------
"640 K ought to be enough for anybody."
--Bill Gates, 1981

Amateur Radio Callsign KB3FHH

Thanks guys! I'm just getting back from Christmas vaca and I really appreaciate your help.

Merry Christmas everyone!



------------------
Now...if I could only defrag my brain...

Interesting followup to the infection:
She reformated using (gag) proprietory software and guess what? It survived. Darn thing is like a rat in a sewer. She has no clue how to do a dos reformat so I guess I'm on the ol mail her a boot disk and explicit directions program.
http://cwm.ragesofsanity.com/s/cwm/killtard.gif

------------------
Now...if I could only defrag my brain...

make sure you include dos cd-rom drivers for your friend, even make it auto load the drivers for her, it just may save you another phone call....."HELPPPPPP....NOW MY D DRIVE DOSEN"T WORK!!!!"



------------------
She may have only been a prostitute, but she had the prettiest face I ever came across