Remote Access Trojan FAQ

Port 5000 is open on my system. I have found web sites indicating that this port is used by the "Sockets De Troie" trojan. Is my system compromised by a trojan?

The "Universal Plug and Play" service on Windows Millennium Editition and Windows XP uses UDP port 1900 and TCP port 5000. If you are running either of these Windows versions then there is a very good chance that the Universal Plug and Play service is what is holding these ports open.

To verify that Universal Plug and Play is what is holding ports 1900 and 5000 open, follow these steps if you are using Windows XP:

  1. Go to Start->Settings->Control Panel->Administrative Tools->Services
  2. Find the service named "SSDP Discovery Service", right-click it and select Stop
After the SSDP Discovery Service has been stopped, ports 5000/TCP and 1900/UDP should no longer be open on your system. If you want to permanently close these ports you should right-click the SSDP Discovery Service, select Properties and set the "Startup Type" of the service to Disabled.

If the SSDP Discovery Service was not running then something else, possibly a trojan, was holding port 5000/TCP open.

My firewall tells me that it has blocked access to a port used by a trojan. Is my system compromised by a trojan?

No. The alert you are getting simply means that your firewall has blocked an attempt from an external host to access a port on your computer that is commonly used by a trojan. Even if the port is indeed open on your system, the message indicates that your firewall has blocked the attempt to access it. To check whether or not the port in question is indeed open on your system go to Start->Run... and type Command<Enter>. In the Command Prompt that appears, type netstat -an. If the port in question is listed as "Listening" there is a possibility that it is in use by a trojan server (though your firewall, if properly configured, should have blocked any attempt to access it) and you should scan your computer for trojans.

I have port X listening on my system, and I'd like to know which application is holding it open

There is a free trial of TCPView Pro available at Winternals. This program will list open ports on your system along with the application that is holding each port open. (Note: We are not affiliated with Winternals in any way and cannot vouch for the functionality or effectiveness of TCPView Pro.)