Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Worm Hobbit - Port 2337 Outlook.exe

RogueViper

Any ideas why Outlook would be using a non standard port? Wonder if anyone can help. 

I have ran a GFI LANguard vulnerability scan on my local network. 

GFI has detected that my computer has port 2337, which it has associated with a trojan port. I used the netstat -p -ano to pull back a list of ports with their process IDs. Then checked the PID against the task manager PID column, which returned the process as Outlook.exe using port 2337. 

Note, my computer is the only one in the company with port 2337 open. 

This port is associated with worm hobbit.  I have ran a full system scan on my machine using Sophos and it has detected nothing. 

:16033


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    I assume that Outlook.exe is not "Listening" on 2337 but is using it as the "client" end of the connection?  This could be as expected.  If you restart Outlook.exe does it use the same port?

    Can you paste here:

    1. The output of:
    netstat -abno > netstat.txt

    2. The IP of your machine

    3. The IP of the Exchange server

    If Outlook is "Listening", you could take a look at the loaded dlls in Outlook.exe using Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653 ) and sort by a column in the DLL list such as "verified signer".  Ensure that "Options" - "Verify image signatures" is ticked.  This could identify something being loaded into Outlook.exe that could be worth double checking,  The "Path" column is also worth enabling

    Feel free to also paste the output of the bottom section of Process Explorer when Outlook.exe is highlighted.


    Regards,

    Jak 

    :16049
Reply
  • 0

    HI,

    I assume that Outlook.exe is not "Listening" on 2337 but is using it as the "client" end of the connection?  This could be as expected.  If you restart Outlook.exe does it use the same port?

    Can you paste here:

    1. The output of:
    netstat -abno > netstat.txt

    2. The IP of your machine

    3. The IP of the Exchange server

    If Outlook is "Listening", you could take a look at the loaded dlls in Outlook.exe using Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653 ) and sort by a column in the DLL list such as "verified signer".  Ensure that "Options" - "Verify image signatures" is ticked.  This could identify something being loaded into Outlook.exe that could be worth double checking,  The "Path" column is also worth enabling

    Feel free to also paste the output of the bottom section of Process Explorer when Outlook.exe is highlighted.


    Regards,

    Jak 

    :16049
Children
No Data