explorer.exe opens udp port

nikky · May 17, 2003

I know something is not right when the service "explorer" shows up in an fport listing running c:\winnt\explorer.exe on a udp port. Has anyone any idea what backdoor / remote control program might have been installed on this windows 2000 pc ? Explorer.exe itself looks to be uninfected.

chiph · May 17, 2003

You might want to check the machine for another copy of explorer.exe -- a clever trojan would take advantage of the fact that the PATH environmental variable is searched to find that program (unless you patched your registry to point explicitly at c:\winnt\).

Chip H.

nikky · May 17, 2003

I have looked, and they all seem to be the same - only 2 copies, exactly identical - one in winnt and the other in service packs.

Since then I have read that windows critical update notifcation opens up explorer.exe using a UDP port - perhaps this is the explanation.

Salem · May 17, 2003

First question is - which ports?

http://www.iana.org/assignments/port-numbers

If they're in the range of 137 to 139, then its just normal windows looking around for other normal windows in the network neighborhood.

SgtB · May 19, 2003

Explorer is a great place to hide a trojan! Check the file sizes for each one. Are they the same?
Don't look at the timestamps as those can be faked.

You can also compare the MD5 Checksum from a known-good copy of explorer (one from a different machine) to verify file integrity.

I'll see your DMCA and raise you a First Amendment.

http://www.anti-dmca.org

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

explorer.exe opens udp port

nikky

Programmer

chiph

Programmer

nikky

Programmer

Salem

Programmer

SgtB

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor