I noticed that an incoming TCP packet had been intercepted. The local port being targeted was 27374 [Sub-7 (trojan)]. [...] I've tried doing some research on the trojan in question, but haven't been able to discover whether or not my machine is infected, or is Sub-7 simply a name always associated with that particular port?
Since the packet was intercepted by your firewall, your machine was not infected. That port's most commonly associated with Sub-7. Whether the firewall positively identified the traffic depends on whether it examined the contents of the incoming packet to see if they matched the data that's delivered by that trojan, or based the conclusion on the destination port. What's important is that it stopped the traffic.
I was just concerned since the designation of "Sub-7 (trojan)" was assigned to a local port. I thought it could mean that the trojan was already on the machine, and what the firewall had intercepted was a packet trying to "wake" the trojan. But if "Sub-7" is just a common designation for that port then that makes me feel much better (it would be nice if an additional descriptive were added to the designation, like "Sub-7 (trojan - but don't worry about it)" :-)
I thought it could mean that the trojan was already on the machine, and what the firewall had intercepted was a packet trying to "wake" the trojan.
The intercepted packet was indeed directed to the trojan's default "listener" port. But the fact that another machine's looking for Sub7 "listeners" doesn't imply that there's a "listener" on your machine. Entire networks can be scanned looking for "listeners". Your machine just happened to be in a range of IP addresses that was being scanned.
Your machine isn't one of the "listeners". Virus definitions detecting Sub7 have been available since 2000. So you were protected in depth: First by your firewall, and second by having current anti-virus software installed and running.
jwatt
4.4K Posts
0
April 9th, 2004 05:00
[...]
I've tried doing some research on the trojan in question, but haven't been able to discover whether or not my machine is infected, or is Sub-7 simply a name always associated with that particular port?
Since the packet was intercepted by your firewall, your machine was not infected. That port's most commonly associated with Sub-7. Whether the firewall positively identified the traffic depends on whether it examined the contents of the incoming packet to see if they matched the data that's delivered by that trojan, or based the conclusion on the destination port. What's important is that it stopped the traffic.
Jim
DeeDeeG
15 Posts
0
April 9th, 2004 16:00
Thanks Jim.
I was just concerned since the designation of "Sub-7 (trojan)" was assigned to a local port. I thought it could mean that the trojan was already on the machine, and what the firewall had intercepted was a packet trying to "wake" the trojan. But if "Sub-7" is just a common designation for that port then that makes me feel much better (it would be nice if an additional descriptive were added to the designation, like "Sub-7 (trojan - but don't worry about it)" :-)
jwatt
4.4K Posts
0
April 9th, 2004 21:00
The intercepted packet was indeed directed to the trojan's default "listener" port. But the fact that another machine's looking for Sub7 "listeners" doesn't imply that there's a "listener" on your machine. Entire networks can be scanned looking for "listeners". Your machine just happened to be in a range of IP addresses that was being scanned.
Your machine isn't one of the "listeners". Virus definitions detecting Sub7 have been available since 2000. So you were protected in depth: First by your firewall, and second by having current anti-virus software installed and running.
Jim
DeeDeeG
15 Posts
0
April 9th, 2004 23:00
Your machine isn't one of the "listeners".
Thanks once again. That's what I hoped to hear.
Now I'll check out some of those links in your sig and educate myself a little about computer safety :)